Fortinet opublikował aktualizację dla produktu FortiAuthenticator o numerze wersji 6.2.2. Nowa wersja oprogramowania ze względów bezpieczeństwa przynosi aktualizację komponentów – OpenLDAP, libxml2 oraz OpenSSL, co sprawia że sam FortiAuthenticator w tej wersji jest wolny od podatności CVE-2022-0778.

Rozwiązane problemy:

Bug ID	Description
700957	User logon is not working with FSSOMA mobility agent.
837219	FortiAuthenticator-VM on same Hyper-V host cannot form HA A/A cluster after July 2022 Windows Updates.
861776	Upgrade OpenSSL from 1.1.1n to 1.1.1s, then again to 1.1.1t.
668337	Allowed hosts configuration through CLI not reflected in the GUI before reboot.
831595	Setting timezone and DNS does not clear the GUI settings cache.
791452	OpenSSL 1.1.1n – Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778).
800714	[3rd party component upgrade required for security reasons] FortiAuthenticator– OpenLDAP to 2.6.2.
814167	[3rd party component upgrade required for security reasons] FortiAuthenticator– libxml2 to 2.9.14.
803891	SAML peer certificate expiration issue and XML security issue.

Common Vulnerabilities and Exposures

FortiAuthenticator is no longer vulnerable to the following CVE-Reference(s):

Bug ID	CVE references
791452	CVE-2022-0778

Znane problemy:

Bug ID	Description
666880	GUI – Hide SNMP trap option for PSU monitoring for unsupported devices.
601603	CLI only supports configuring interfaces port1 to port4.
666636	Wrong group attributes indicator in RADIUS policy response table for EAP-TLS.
637199	Add default usage profiles.
615442	No Kerberos ticket requests (negotiate) on encrypted HTTPS traffic from FortiAuthenticator.
485396	Sponsor/Admin can place created Guest users into any group.
588310	FortiAuthenticator dropping FSSO login events from DC Agent on failed DNS resolution.
673303	Fine-grained menu content has misaligned pointer in SSO/General.
630041	FortiAuthenticator FSSO – TS Agent sessions stuck at zero after server reboot until FSSOTA service is restarted.
673319	Admin cannot log in to approve the self-registration when group filters are set without admin user in Guest Portal policy.
652072	When LDAP user password expired, user is not prompted for RSA token code (chained token authentication).
631600	SCEP request by certmonger cannot be recognized by automatic enrollment request.
632629	Smart Connect WPA2-Personal profile fails when WPA2-Enterprise settings are left in place.
588346	An expired certificate is delivered toward WiFi authenticated users.
632637	Smart Connect missing the ability to forget an SSID.
595012	Should be able to resize the users page column width manually by using mouse.
628815	Remote SAML user import from Azure AD fails authorization issue.
602707	Unable to add multiple alternate DNS names into certificate for user certificates.
577877	Allow bulk unlock for FTM tokens.
670811	Remote SAML user import from Azure AD issues.
606562	FortiAuthenticator rejects certificate signing requests from FortiGate client with invalid password error.
637028	SSL connection failed in case of certificate expired error message is not explicit.
637290	No FTM push notification with Windows agent 3.0.
670827	FortiGate filtering stops any users sent to FortiGate even though users are member of group/container.
671345	FortiAuthenticator Windows Agent prompts for token despite incorrect password, and then does not prompt for user credentials again.
657522	SAML authentication fails when AD display name contains a coma (,) and user has admin role.
526202	FortiAuthenticator does not check if signature of CSR is valid.
669054	Unable to install FAC-VM-HV 6.2.0 on server 2012 R2.
673151	Domain controller query status shows failed with successful queries.
566145	Usage Profile TIME USAGE=Time used is not triggering COA or disconnect request to FortiGate.
660357	FSSO FortiGate IP filter ignored when global group prefilter is enabled.
669079	HTTPS certificate chain is inconsistent/incorrect.
646299	Nutanix AHV KVM based Hypervisor FortiAuthenticator upgrades from 6.0.4 to 6.1.x fails, and hangs on „Waiting for Database”.
666782	If local CA is selected for EAP and no EAP server certificate is present on FortiAuthenticator, radiusd keeps crashing after upgrading to 6.2.0.
589219	Multiple DC’s kerberos traffic after FortiAuthenticator joining the domain with local DC.
638374	SCEP – Encryption/hash compatibility with clients.
601520	Recurrent log message: Portal was not found in the session, redirecting back to entry point.
668337	Allowed hosts configuration through CLI is not reflected in GUI before reboot.
544691	Remote LDAP admins have no certificate bindings.
645043	GUI does not show certificate UPN.
592837	Sponsor accounts can add guest user accounts to non-guest groups.
666571	„Portal was not found in the session” when registering a guest with non-ASCII characters „Umlauts”.
672987	After upgrading FortiAuthenticator from 5.4 to 6.x, Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.
634084	Unable to export third party signed certificate with private key when CSR is generated locally on FortiAuthenticator.
650215	FortiAuthenticator Windows Agent 3.0 – New RDP connection by the same user is unable to finish due to blank login screen.
672750	When trying to access to self service portal, error „Please enter correct credentials. Note password is case-sensitive” is randomly displayed.
543729	RADIUS client service not working after upgrade.
668916	Subdomain users can authenticate over FortiAuthenticator Agent installed on workstation in main domain without the token code.
635893	Change password not working with Checkpoint VPN when 2FA is enabled.
655350	The lockout policy does not apply to username/token submissions to the /auth API endpoint.
604156	Packet captures on OCI seem to be corrupt.
604924	SAML SSO/Proxy metadata download fails with „invalid_xml”.

Notatki producenta: FortiAuthenticator 6.2.2

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiAuthenticator Fortinet