Fortinet udostępnił nową wersję FortiAuthenticatora oznaczoną jako 6.6.3. W tej aktualizacji skupiono się przede wszystkim na poprawie stabilności i bezpieczeństwa. Rozwiązano problem z funkcjonowaniem tuneli zero-trust do wielu FortiGate’ów, które wcześniej nie działały prawidłowo. Usprawniono obsługę logowania SAML – m.in. poprawiono mechanizm filtrowania grup i wyeliminowano błędy przy pracy z większą liczbą realmów. Zaktualizowano również komponenty odpowiedzialne za bezpieczeństwo – FortiAuthenticator nie jest już podatny na lukę CVE-2024-3596. Poza tym, wprowadzono dziesiątki innych poprawek zgłaszanych przez użytkowników.

Co nowego:

User portal: Allow guests to explicitly input the endorser email address

When a self-service portal is configured to allow user account registration with the endorser approval, you can now select between the following two input methods for registrants to specify their endorser:

• Select from list: The registrant select their endorser from a list of the group members.
• Enter manually: The registrant provides the email address of the endorser. Only the email addresses of the authorized endorsers are accepted.

When configuring a portal in Authentication > Portals > Portals, the following options have been updated:

• Enable email to freeform addresses in Require administrator approval has been renamed to Forward all approvals to the following email addresses.
  • The Administrator email addresses field has been renamed to Email addresses.
• Select User Groups allowed to approve new user registrations has been renamed to Let registrant specify their endorser with the following two options:
  • Select from list
  • Enter manually
• Approver Groups has been renamed to Authorized Endorsers with the following two options:
  • Based on groups
  • Based on domains

CMPv2: Add CRL/OCSP extensions

When the CMP service issues certificates, it can now optionally set the CRL distribution point and/or OCSP responder URL extensions in the same way that the SCEP service already supports.

When creating a new certificate enrollment request in Certificate Management > CMP > Enrollment Requests, a new Other Extensions pane is available.

Allow provisioning on 3^rd party MFA applications

FortiAuthenticator users can now use 3^rd party MFA applications for authentication.

End users can now install FortiToken Mobile tokens in 3^rd party applications, e.g., Google Authenticator.

Push notifications are not supported when using a 3rd party MFA application.

FortiToken Mobile tokens cannot be transferred to a 3rd party MFA application.

It is recommended that you use FortiToken Mobile for FortiAuthenticator use case as well as for MFA for 3rd party websites and applications as FortiToken Mobile supports all OAuth compliant MFA.

For integration with 3^rd party authentication server to manage token validation, you can return the FortiToken Mobile seed during provisioning by:

• Returning the seed when creating a new local user via the POST method and when provisioning an FortiToken Mobile to an existing user via the PATCH method.
• Specifying the GET URL parameter (returnseed=1) to explicitly inform FortiAuthenticator to trigger FortiToken Mobile activation, i.e., sending the FortiToken Mobile activation code to the end user via an email or SMS, and return an encrypted seed in PSKC format for the token that can be used to provision a 3^rd party MFA application, e.g., https://[server_name]/api/v1/localusers/2/?returnseed=1.
• Specifying the GET URL parameter to explicitly inform FortiAuthenticator to skip FortiToken Mobile activation, i.e., do not send the FortiToken Mobile activation to the end user via email or SMS, and return an encrypted seed in the PSKC format for the token that can used to provision a 3^rd party MFA application, e.g., https://[server_name]/api/v1/localusers/2/?returnseed=2.
• Specifying a seed encrypted passphrase in the FortiGuard settings.

When a FortiToken Mobile is provisioned with returnseed=1:

• FortiAuthenticator sends the activation code to the end user via email or SMS.
• FortiAuthenticator returns the FortiToken Mobile activation code in the API response.
• The status of the FortiToken Mobile is displayed in the FortiAuthenticator administrator UI as pending until FortiToken Mobile provisioning is complete.
• The FortiToken Mobile provisioning is complete once the activation is successfully completed on the FortiToken mobile application.

When a FortiToken Mobile is provisioned with returnseed=2:

• FortiAuthenticator does not send the activation code to the end user via email or SMS.
• FortiAuthenticator does not return the FortiToken Mobile activation code in the API response.
• The status of the FortiToken Mobile is displayed in the FortiAuthenticator administrator UI as reserved until FortiToken Mobile provisioning is complete.
• FortiToken Mobile provisioning is complete when a valid OTP is submitted to the FortiAuthenticator through /api/v1/auth/ or /api/v1/realmauth/ endpoints.

Note:

• The same modifications also apply to the /api/v1/ldapusers/ endpoint except that it only supports FortiToken Mobile provisioning via the PATCH method.
• When the /api/v1/auth/ or /api/v1/realmauth/ endpoints are called with a valid OTP for a user account provisioned with a reserved FortiToken Mobile, the FortiAuthenticator transitions the FortiToken Mobile to the assigned state. This is true when the FortiAuthenticator is configured either as the online FortiToken Mobile or the offline FortiToken Mobile mode.

In the GUI:

• User accountWhen viewing a user account that has a provisioned 3^rd party in the pending state, it provides a way to enter a valid OTP to allow the FortiAuthenticator administrator to transition the 3^rd party FortiToken Mobile to the assigned state.

  The FortiAuthenticator provides this capability in the same way as when operating in the offline FortiToken Mobile mode, except that it does not show an offline provisioning QR code with the OTP validation input.

• Self-service portal (post-login)If an end user accesses the Two-factor Authentication of the self-service portal while their account is provisioned with a pending 3^rd party FortiToken Mobile, the self-service portal provides a way to enter a valid OTP to allow the end user to complete the 3^rd party FortiToken Mobile provisioning ,i.e., transition the FortiToken Mobile to the assigned state.
• Self-service portal (pre-login)If an end user tries to login to the self-service portal while their account is provisioned with a pending 3^rd FortiToken Mobile, the FortiAuthenticator treats the account as if the token authentication is enabled and therefore must ask for an OTP.

RADIUS/User portals: IPv6 support

FortiAuthenticator now supports IPv6 for RADIUS servers, captive, and the self-service portals.

Also, the trusted subnets can now be configured with an IPv6 format.

A new RADIUS attribute for user IP (IPv6) field when configuring a RADIUS client in Authentication > RADIUS Service > Clients.

The access points for captive portals can now be configured with an IPv6 format.

OAuth/OIDC: Support conditional consent and/or login + independent session timeouts

The End-user must authorize scopes (authentication code grant type only) option in the Authentication factors tab when creating an OAuth policy has been renamed to Skip authorization consent form.

To decide whether to present/bypass the login and/or consent page during the OAuth/OIDC authentication process, FortiAuthenticator now takes into consideration the value of these optional input parameters sent by a relying party:

• prompt: Supported values are none, login, and consent
• approval_prompt: Supported values are auto and force

Increase ratio of groups to users

Starting FortiAuthenticator 6.6.3, the maximum allowed number of user groups is Users / 5 from the previous Users / 10.

See Maximum values for hardware appliances and Maximum values for VM.

Usage profile: Data limit by time interval

The usage profiles now offer the new data limit by time interval option.

New Data used per time interval option available when configuring a usage profile in Authentication > User Management > Usage Profile.

Also, the Data used option has been renamed to Cumulative data used.

For a local/remote/guest user, selecting the new Usage History option displays historical data usage.

Additionally, the Account info page for a captive/self-service portal displays the logged-in user usage information and provides the new Usage History option to view the historical data usage.

OAuth: OIDC logout

A new OAuth/OIDC /logout/ API endpoint available.

This endpoint allows a Relying Party to request logging out the end user and revoking access tokens, refresh tokens, and ID tokens.

If the user is logged in, all corresponding tokens will be revoked.

For more information, see the latest FortiAuthenticator REST API Solutions Guide.

FIDO2: Option to give the FortiAuthenticator administrator control over the user verification setting

A new user verification global configuration option in Authentication > User Account Policies > Tokens to determine which type of user verification to instruct the end user’s browser to use when registering/authenticating with FIDO.

Support Password+OTP concatenation for FortiToken Cloud-issued FortiToken Mobile token

FortiAuthenticator supports password + OTP concatenation for RADIUS, TACACS+, and LDAP authentication when FortiToken Cloud is the MFA server.

Guest users: Set password, support custom fields, and new permissions

Editing a guest user account now offers the ability to manually set the password and custom fields:

• The Reset Password option has been replaced by the Set a random password icon.
• Clicking the eye icon displays the current password.
• A new Change password icon to manually change the password.Note: The password must be at least 8 and at most 64 characters in length.

When adding or editing a user defined permission set in System > Administration > Admin Profiles, the following new permissions are available:

• Can change password of guest user
• Can change custom fields of guest user

Note: An administrator is now allowed to edit a guest user account if its admin profile has Read & Write access for Can change guest user, Can change password of guest user, and/or Can change custom fields of guest user.

User Portals: Password reset with SMS or FortiToken verification

New admin GUI and user self-service portal options to select the allowed password reset verification methods.

Enhanced password reset workflow in the user portal that integrates the new verification methods and rate-limiting.

• A new Verification methods option when Password Reset is enabled under the Pre-Login Services pane when creating/editing portal settings in Authentication > Portals >Portals.
• Two new options in the Password Recovery Options pane when creating/editing a user:
  • SMS recovery
  • FortiToken recovery

  The new password recovery options are visible to the end user in the Account Info tab of the user portal.

• Two new password recovery options when configuring a remote LDAP sync rule:
  • Password recovery by SMS
  • Password recovery by FortiToken

  Email password recovery has been renamed to Password recovery by email.

Extend the password field limit for privileged user accounts to 64 characters

Starting FortiAuthenticator 6.6.3, passwords for a privileged user account can have at most 64 characters.

Smart Connect application on Chromebook

FortiAuthenticator now supports Smart Connect application for Chromebooks.

A new Chrome OS (.onc) option in the Platform dropdown in Smart Connect now available.

Click Download to download the ONC file.

The end user can click the Install…. link to go to the Chrome OS network settings page to install the ONC file.

FSSO: Option to restrict groups to the ones specified in global pre-filter

A new Restrict user groups to groups defined in global pre-filter if configured option in Fortinet SSO > Settings > User Group Membership.

New user_ip field

A new user_ip field in the following endpoints:

• /auth/
• /realmauth/
• /oauth/token/

For more information, see the latest FortiAuthenticator REST API Solutions Guide.

Administrative account lock

A new Locked option when editing a local user.

While the existing Disabled option works as an operational lock, i.e., an account is locked in the course of operations such as account inactivity , password expiry, etc.

The new Locked option provides the administrator with the ability to lock user accounts independent of the Disabled option.

When either Disabled or Locked options are enabled, FortiAuthenticator rejects all authentication attempts for the user.

The new option is also available for LDAP, RADIUS, and SAML users.

A new is_locked field in the following endpoints:

• /localusers/
• /ldapusers/
• /radiususers/

Note: No SAML user endpoint exists.

For more information, see the latest FortiAuthenticator REST API Solutions Guide.

Certificate SHA1 weak hashing algorithm detected in port 8001

A new Server certificate option available when FortiClient SSO Mobility Agent Service is enabled in Fortinet SSO > Settings> Methods that lets you choose which SSOMA server certificate to use, i.e, CA1 or CA2-signed to ensure cross compatibility with all SSOMA versions.

The FSSO daemon (fsae) uses the certificate specified in this new setting as the SSOMA server certificate.

Logs for account activity- Phase 1

FortiAuthenticator now logs unusual login activities:

• Failed login attempt not followed by a successful login
• Login from a new device/web browser
• Login from a new location

FortiAuthenticator now generates a log when a user account email and/or mobile number changes:

• Set an email on an existing user account
• Change email for an existing user account
• Set an alternate email on an existing user account
• Change an alternate email for an existing user account
• Set a mobile number on an existing user account
• Change mobile number for an existing user account

IP/subnet exemptions for IP lockout

When handling a failed authentication attempt, the IP lockout mechanism ignores that attempt if it originated from an exempt IP address/subnet.

A new IP Lockout Exemptions pane in Authentication > User Account Policies > Lockouts now allows the administrator to specify a list of IPv4 addresses/subnets that are exempt from the IP lockout policy.

Note: IPv6 addresses are not supported by IP lockout policy.

CORS HTTP headers

When a browser accesses a web page, that web page could contain scripts that must be fetched by the browser from third-party web servers. Even if the web page does not natively contain such third-party scripts, an attacker could trick the web page into fetching some malicious scripts by sending a specially-crafted HTTP request.

The CORS headers can be used by the server of a legitimate web page to let the browser know which third-party web servers are authorized to serve content for this web page, thus preventing the possibility of specially-crafted HTTP requests from injecting malicious scripts from unauthorized third-party web servers, i.e., an XSS attack.

You can now specify how to handle Cross-Origin Resource Sharing (CORS) on FortiAuthenticator.

A new Cross-Origin Resource Sharing (CORS) setting in System > Administration > System Access.

Adaptive MFA: Bypass MFA for login on a known device

A new type of adaptive MFA for the SAML IdP and OAuth services to bypass 2FA when a user does a login from the same browser they previously used for a successful 2FA login.

The Adaptive Authentication option has been renamed to Adaptive MFA.

A new For known devices option to bypass OTP validation if the end-user is a known device as you create a new Adaptive MFA when:

• Configuring a SAML SP in Authentication > SAML IdP > Service Providers.
• Configuring an OAuth policy (in the Authentication factors tab).

Relabeling REST API rate limiting settings

In FortiAuthenticator 6.6.3:

• The REST API pane in the Edit System Access Settings window in System > Administration > System Access has been removed.
• The Restrict number of requests to option previously available in the REST API pane in the Edit System Access Settings window in System > Administration > System Access is renamed to Restrict number of authentication requests to.The option has been moved to Authentication > OAuth Service > General.
• The Use geolocation in FortiToken Mobile push notifications option previously available in the REST API pane in the Edit System Access Settings window in System > Administration > System Access has been moved to Authentication > User Account Policies > Tokens.

ACME certificate: Account persistence

A new Create Account option when creating a certificate using ACME in Certificate Management > End Entities > Local Services.

When you select Create Account after filling in the ACME service URL, the ACME account information persists on FortiAuthenticator upon successful account creation.

Once the server certificate is created, the ACME server endpoint is disabled and grayed out. The Create Account option changes to Change Account.

Clicking Change Account deletes the existing account information from the FortiAuthenticator.

Optionally, you can now set the account email in the new ACME account email field by clicking the edit icon.

New fields in the OIDC authorization endpoint

The following two new fields are available in the /oauth/authorize/ endpoint:

• approval_prompt
• prompt

For more information, see the latest FortiAuthenticator REST API Solutions Guide.

FSSO: Manual group lookups

The FSSO engine now has two modes of operation in the new AD server discovery option to discover the available AD servers for group lookups when configuring the user group membership in Fortinet SSO > Settings > User Group Membership:

• Automatic (default): The legacy discovery mechanism where FortiAuthenticator consults the global catalog to get a list of all domains and their AD servers.
• Manual: The discovery mode is disabled. Instead, the AD servers list for group lookups must be explicitly configured.

When AD server discovery is Automatic, Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP servers option is available (disabled by default).

Note: The Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP servers option was previously available in Fortinet SSO > Settings > Methods.

When AD server discovery is Manual, in AD servers, specify the AD servers that can be used for group lookups.

Service access control for the SCIM server

A new SCIM (/scim) option available when you enable HTTPS (TCP/443) in the Access Rights pane when editing a network interface in System > Network > Interfaces.

New options when purging a disabled local user

When purging a disabled local user, the following new options have been added in Purge users that are disabled due to the following reasons:

• Too many login attempts
• Password expired
• FTM activation expired
• Manually disabled by user
• Not Activated

New option when editing a RADIUS accounting client

A new Include Acct-Session-Id attribute in RADIUS Disconnect-Request option available when Support RADIUS Disconnect messages is enabled when creating/editing a RADIUS authentication client in Authentication > RADIUS Service > Clients.

GUI: Realms in SAML IdP > General moved

The Realms option in Authentication > SAML IdP > General is now available as the new User Sources tab in Authentication > SAML IdP.

CLI: New command to search the LDAP directory

When a remote LDAP user is imported, FortiAuthenticator saves the DN. When it is time to authenticate, FortiAuthenticator uses the DN to perform the LDAP bind directly instead of searching the username in the directory first.

When the new diagnose authentication radius-force-ldap-user-lookup {enable | disable} CLI command is enabled, FortiAuthenticator ignores the DN and searches the LDAP directory for the username before performing the LDAP bind.

There is no equivalent GUI option for the CLI command.

OAuth monitor: New GUI options

OAuth Tokens in Monitor > Authentication now includes the following new tabs:

• Access Tokens
• Refresh Tokens
• Authorization Codes
• JWT Tokens

Additionally, you can filter the tokens by the grant type or status.

A new search bar is also available.

New sub_type field in the /fortitokens/ endpoint

A new sub_type field available in the /fortitokens/ endpoint.

For more information, see the latest FortiAuthenticator REST API Solutions Guide.

GUI: Updates for RADIUS service

The Certificates tab in Authentication > RADIUS Service has been renamed to General.

A new Max Fragment Size for EAP-TLS setting available in Authentication > RADIUS Service > General.

Disabled SCIM sync post configuration restore

When someone restores a configuration backup, the automated SCIM task could result in severely undesirable side effects if allowed to run.

For example, restoring an old configuration backup into a lab environment with access to the public internet could come in conflict with the SCIM replication of the production environment.

For this reason, SCIM syncing to any configured SP is disabled after a configuration restore.

A warning message is displayed when you login after a configuration restore if SCIM has been disabled.

To reactivate the SCIM service, go to Authentication > User Account Policies > General and enable Re-activate SCIM (client).

Rozwiązane problemy:

Bug ID	Description
805969	Zero-trust tunnels to multiple FortiGates does not work.
906634	SAML IdP initiated portal URL is accessible using FQDN that is not one of the allowed hosts.
909829	Local user groups should only allow selection of Guest Users when Guest Group is on.
952739	Cannot add default route for the IPv6 address.
961550	FortiAuthenticator incorrectly logs 'invalid token’ when the end-user declines a FortiToken Mobile push.
969777	No 'Debug Kit Upload’ option on the default (RADIUS Auth) debug page at /debug/.
972164	LDAP sync rule fails if the cert bindings are included and the user account is already imported by another sync rule.
972756	FortiAuthenticator should log when IAM user is created.
973232	Missing user groups for FSSO if using the global group filter.
983781	Add collapse/expand all action when browsing an LDAP tree.
984804	FSAE is crashing with signal 6, seen in segfault.log.
986259	Primary cluster info formatting is distorted on the HA Status page of load-balancer node.
986422	REST API endpoints /auth/ and /pushauth/ used by FortiAuthenticator agents may use wrong realm when the username exists in several realms.
988241	The User portal login fails when 'Request password reset after OTP verification’ disabled and the user with OTP needs password change.
989673	Disallow saving the setting when enabling Restrict token self-provisioning and no method for self-provision selected.
995220	Usage profile creation is not logged.
1000927	Promoting user account to sponsor/admin role should not be allowed when username contains non-ascii characters.
1001953	Add column on the remote TACACS+ server page for the secondary server.
1004216	Disabling Adaptive authentication in the SAML service provider configuration fails if the specify trusted subnets list is empty.
1004271	Certificate binding in user account showing expired status even if there is another valid certificate.
1005153	Allow underscore in Kerberos realm name field of the remote LDAP servers.
1006378	Preview for the SAML IdP login page replacement messages omits the captcha.
1009107	LinkedIn social login does not work in the captive portal with recently created LinkedIn app.
1009748	SMS user registration receipt includes FortiAuthenticator URL with a colon at the end.
1012102	Force Password Change page on SAML IdP portal does not allow semi-colon or quotations in the password.
1012225	Rate-limiting is not being enforced for OAuth REST API endpoints.
1012741	After successfully assigning an offline token to a remote user the local user page loads up.
1013841	Default Activation delivery method should be pre-selected when FortiToken Mobile is selected.
1014845	’execute expand-partition’ command is not working.
1016955	Certificate generation does not work against some ACME servers due to an account email update attempt by FortiAuthenticator.
1017747	FortiAuthenticator does not respond to SCEP request from Apple MDM.
1017916	Filter by group button for the remote LDAP user sync rules does not use the configured group attribute (broken for OpenLDAP).
1018661	Log messages for SAML IdP logout put user IP address in 'nas’ field instead of the 'userip’.
1018665	OAuth logs do not record requesting user IP address.
1019659	Offline token provisioning not working in legacy self-service portal.
1019660	Token self-provisioning option should not be allowed in the legacy self-service portal when offline FortiToken Mobile enabled.
1021681	Authentication Factors in User Lookup table incorrectly states no token was used for SAML IdP login session.
1022017	OAuth performance optimizations.
1022146	Changing the server certificate in CMP settings is not taking effect until after the reboot.
1022734	403 error when downloading FortiAuthenticator SP metadata if 'SAML SP SSO’ is not enabled on the interface.
1022824	MAC devices section is missing a search bar.
1022943	REST API endpoint /pushpoll/ does not work for the FortiToken Mobile push notifications sent by password-based OAuth authentication.
1024455	EAP-TLS authentication looks for CN in the client cert subject even in the trusted CAs authentication mode; EAP-TTLS might match incorrect realm.
1025909	Disabled endorser/sponsor accounts should not be able to approve self-created accounts.
1026189	EAP with NTLM to Windows AD fails when NTLMv1 is disabled on the AD server (not trying to use NTLMv2).
1026784	SAML-based FSSO does not work when enabling disclaimer.
1027363	SAML sync rule removes manually-provisioned hardware FortiToken.
1028556	SSH logins with 2FA for remote RADIUS admins may return incorrect state value in challenge response.
1029099	Accepted FortiToken Mobile Push Notification returns 'unknown error’ to the device even though authentication succeeds.
1030796	Creating/editing FSSO filtering object through REST API does not take effect in communication to FortiGates.
1031217	Base DN Browse button in the remote LDAP server create/edit does not work.
1031345	SAML login error when the SLS field is empty in the Service Provider settings.
1032821	Upgrade Django to 4.2.
1033428	Trusted Endpoint SSO does not prompt for FIDO when 'Enforce MFA’ option is selected.
1035629	Newly created IAM user getting error page during SAML login.
1035728	OCSP verifications failing for valid certificates.
1035810	500 error when trying to create guest users.
1036688	Generate log event when token seed returned by POST to REST API.
1036821	After importing new users via CSV file, the existing users in user group are removed.
1037883	Updated SMTP password does not take effect (old password still in use).
1039024	FortiToken Mobile push notifications fails for units without a firmware certificate signed by FTNT CA2.
1039411	Need resource type in SCIM Client to support the FortiGate SCIM server.
1040484	Communication failures to FortiToken Mobile push server may result in resource leak.
1040957	LDAP auto-provision does not work for users created from self-service portal (only works with the legacy self-service portal).
1041406	OTP challenge message incorrectly mentions push for FortiToken Mobile tokens provisioned with the FortiToken Windows app (does not support push).
1041678	FSSO workstation IP verification takes inordinate time when DC agent sends workstation netbios name instead of the full domain name.
1042176	Authorization Code based OAuth Authentication REST API call gets 500 error for IAM login.
1043178	Provisioning tokens fail when multiple users are enabling 2FA at the same time.
1044241	FortiToken Cloud token revocation unavailable in the user portal after upgrading from 6.4.
1044616	Local admin users cannot be part of the LDAP-Service Tree.
1045487	radiusd crashes if the user lockout time is NULL in config DB.
1045900	FortiAuthenticator does not check certificate revocation status when connecting via LDAPS to the remote LDAP server.
1046360	FortiToken push may fail in rare cases.
1047537	Users that are promoted to Admins do not have passwords hashed.
1047740	GUI debug report immediately fails with 'Unable to create a debug report file.’
1048554	SAML IdP logout response always uses SHA1 signature algorithm (ignores the config setting).
1049191	Inconsistent RADIUS and TACACS+ client limits.
1051864	RADIUS service does not prompt for second factor when PCI 2FA option is enabled and user does not exists in FortiAuthenticator.
1053471	500 error when trying to download SP metadata that uses a pending server certificate.
1053482	Incorrect validation message when downloading metadata with a revoked server certificate.
1054626	SCIM server returns misleading error messages.
1054837	After importing a CSV file with FortiToken Hardware 200B serial numbers, the token is not usable.
1055691	Push notifications for HOTP FortiTokens are not working.
1056044	Expose FortiToken sub-type to REST API.
1058364	FSSO wmid crashes when the user logon is missing the workstation name.
1058919	Admin popup warning when deprecated tags used in the replacement messages needs to be more user-friendly.
1059887	500 Error When Adding a group the in LDAP Directory Tree.
1060447	Failed FortiToken Cloud provisioning may lead to inconsistent config DB.
1060487	Unable to expand large list of LDAP users when the LDAP server takes a long time to respond.
1061076	The radio buttons under 'Create New LDAP Entry’ in LDAP Services are misaligned and disorganized.
1061248	HTTP access for admin should be denied.
1061416	Create local user through REST API fails with 'Invalid time format. Time should be formatted using ISO-8601.’
1061729	Unable to import pkcs12 certificate file (.p12).
1062342	Import of CRL larger than 500000 bytes returns size too large error.
1062500	Password manager extension is misaligned on admin login page.
1064030	Remote TACACS+ admin is unable to login through SSH unless a secondary server IP address is configured.
1064052	Remote TACACS+ admin unable to login using fallback password.
1064295	ns-gw, node-specific gateway versus static route. ns-gw takes precedence until static route is set.
1065784	Blackduck upgrade to Django 4.2.15.
1065790	Blackduck upgrade to curl 8.9.1.
1065800	Blackduck upgrade to OpenSSL 3.0.14 (6.x) / 3.1.6 (7.0).
1065939	Unable to configure network settings (IP address, gateway) in 'DB down’ console recovery mode.
1066298	SAML IdP sessions should not be saved into config database and may cause larger than expected backups that shrink after reboot.
1066444	Web server does not return complete server certificate trust chain during the TLS handshake.
1066667	FortiAuthenticator domain-join generates FSSO session with source 127.0.0.1.
1067203	The CA name is missing from the CRL URL in the SCEP configuration.
1067454	Expired SAML IdP sessions not getting cleaned up.
1067672	FortiAuthenticator should prevent adding same users into the LDAP tree twice.
1067689	FortiAuthenticator must stop sending XSS-Protection in HTTP headers.
1068102	Cannot disable LDAP user group auto provisioning.
1068414	Truncated timestamp in the user lockout message.
1068895	Unable to POST and DELETE to /api/v1/localgroup-memberships/ unless admin has full permissions.
1069149	Captive portal shows end-user an error 500 page when device tracking is enabled.
1069382	500 Internal Server Error when attempting to create new RADIUS service clients.
1070628	Incorrect cluster member sent to FortiToken Cloud server if LB node (not most recently added) unable to join.
1070806	Editing custom vendor RADIUS dictionary returns 500 Internal Server Error.
1071626	Yubikey token concatenation does not work.
1072447	User with FortiToken Cloud token cannot work properly if associated remote server name contains spaces or other special characters.
1073051	Provide truncated anomaly report instead of nothing when full report might cause GUI timeout.
1073785	Error in SCEP service after creating SCEP manual enrollment.
1074375	IdP monitor session details show 'password and no token’ even if we used 2FA to login.
1074858	TACACS+ general debug log level should not affect other types of TACACS+ debug logs.
1076497	Captive portal returns 403 error when clicking the Cancel button during the password recovery process.
1076911	RADIUS response should not contain multiple Message-Authenticator attributes.
1077962	’LoginHint’ not working when the SAML authentication request is submitted through a POST request.
1079620	Self-service password reset does not work when using UPN.
1079764	SAML IdP proxy cannot handle more than 200 Oauth Groups from Google Workspace.
1080593	Locked FortiToken Mobile token can still be assigned to a user with 3rd party app via REST API.
1080643	Improve error handling for invalid/incomplete SAML request.
1080671	Improve error handling for stale SAML authentication requests.
1080833	500 error on IdP-initiated portal page if the SAML realm is not in the IdP realms list.
1081228	OAuth login page sends FortiToken push notification, but the OTP input page does not detect approval on the FortiToken Mobile app.
1082809	ftmd crash if the FortiToken Mobile server returns NULL state when a polling pending token.
1083053	Set disable 'reason’ for the first event that disables the user account. Overwrite it on subsequent disabling events.
1083426	Issue resolving the RADIUS Client name conflicts in 6.6.0 data upgrade migration (shipped in 6.6.0-6.6.2).
1083628	FSSO log level performance impact on the fsae service.
1084772	POST /api/v1/localusers takes too long to respond when millions of user accounts are configured.
1086456	CMP enrollment over HTTPS does not work (HTTP works).
1086837	Remote LDAP user authentication fails if the username attribute is mailNickName.
1086918	Not all FortiToken Mobile tokens in a license are migrated during an FTM-to-FTC migration.
1087229	500 error when exporting MAC devices, FSSO sessions and/or in admin password check popup when non-ASCII chars are being used.
1087245	Missing logs on FortiAuthenticator when the secure syslog trusted CA certificate is updated.
1088268	Blackduck libexpat upgrade.
1088838	Noticeable delay was observed when doing FortiToken Cloud push notification.
1088894	FSSO omits to save the local and the external groups to the group cache.
1088924	SAML IdP proxy not able to support more than 100 groups with Entra ID remote IdP.
1089207	SCIM client stops syncing with SCIM server due to crash during user deletion.
1089332	Password-only authentication does not work for user account within FortiToken Cloud when the FortiToken Cloud server is unreachable.
1089407	Custom user fields ignored when importing local users CSV.
1089525	Captive portal social SMS authentication sends SMS that does not autofill OTP on the mobile phone.
1091487	Fix two potential crashes (null deference) in wad http engine.
1092828	Remote TACACS+ server port setting is ignored; always using default port 49.
1093589	Issue syncing trusted CAs with LB HA.
1093852	Resolve database error suppression and infinite loop in the SAML IdP service.
1093866	SAML IdP fails to verify intermediate CA cert for the SP configured with direct CA.
1094038	’Send Guest User Credential Via Email’ in the sponsor portal does not work.
1094803	OAuth user portal registration failing to send an email token verification code.
1094962	Increase SAML IdP realms limit to 400.
1095121	wad crashes due to various mishandling of the memory resources.
1095260	Static route disappears after HA failover.
1095336	CSV import of local users removes MAC devices and promotes sponsors to admins.
1096175	SCIM service provider endpoints should only accept HTTPS.
1096669	Remove Trusted Endpoint IdP session when receive SSOMA logout.
1096731	Cannot add claims to OAuth Relying Party if openid scope did not get assigned id '1′.
1096755	In a SAML IdP proxy setup, authentication to the external IdP fails if the login URL is missing trailing '/’.
1096950	FSSO self-service portal with LDAP admin user incorrectly creates FSSO session with domain SSO_LOCAL_USER.
1097253	Improve SAML User Source Selection: Move to dedicated page with enhanced search and performance.
1097701	Failing to change password for LDAP user with OTP during SAML IdP login when PCI DSS 3.2 2FA is enabled.
1098142	SAML IdP proxy returns 500 error when multiple realms are using the same remote SAML server.
1098200	Permission set Authentication Monitor should allow viewing the SAML IdP Active Session.
1099423	FortiAuthenticator does not support AES-128 for SCEP CSR – causing FortiGate in fips-cc mode to be unable to complete the operation.
1100167	Cannot manually import recent LetsEncrypt-issued SSL certificates (ecdsa-with-SHA384).
1100735	Realm support is only available for the Android platform for Smart Connect.
1101555	Hardware FortiToken stays assigned to the user after changing the method to FortiToken Cloud.
1101636	Automatic LB HA anomalies repair blocks syncing for over 3 minutes when millions of users are configured.
1102488	REST API performance degradation when config contains millions of user accounts.
1102677	Dashboard inventory widget showing FortiToken Cloud count -1 when communication with FortiToken Cloud servers returns an error.
1102705	Custom user field column header does not get updated when exporting users to CSV.
1104340	FortiAuthenticator does not verify ca chain in the SCIM TLS handshake to the SCIM server.
1104346	SAML login remains on the username page when the login hint is empty in the remote SAML setup.
1104651	Missing data validation for some user account settings in the admin GUI.
1106989	Missing logs for admin_auth (ssh/console login).
1108285	Unable to use /api/v1/auth when Webservice Authentication is Read Only.
1108337	OIDC login with LDAP user should not include IAM user info in id_token.
1109220	Blackduck upgrade to postgresql 15.11.
1109356	Cookie value greater than 2022 bytes triggers credential leak.
1109713	Blackduck python package upgrades.
1110190	When restoring from a backup or upgrading, the port2 gateway reverts to port1.
1110271	Changes to CNA on iOS 18 breaks the SMART Connect in the user portals.
1111343	Changing group memberships from within local user account does not generate a log.
1111414	RADIUS process crashes silently with EAP-TLS involving mschapv2.
1111805	500 internal error when creating new admin local user account or resetting the password in existing local admin user.
1112524	REST API endpoint /pushpoll/ is broken.
1113741	When SAML IdP login prompts for OTP without user/password input for the FortiToken Cloud user, no authentication request is sent to the FortiToken Cloud servers.
1114390	TACACS+ clients newly synced to LB node do not take effect until after reboot.
1114799	Remote LDAP server name translation error in HA LB sync.
1115122	Deleting OAuth relying party cause 500 error because of stale cache data.
1115182	Blackduck upgrade for libglib2.
1115328	Blackduck upgrade for apache2, apr.
1115338	Blackduck upgrade for curl/libcurl in 6.x.
1115346	Blackduck Django upgrade in 6.x, 7.0 branches.
1115563	User Group not synced by LB HA when it has a custom password policy.
1115632	SAML IdP proxy does not enforce group filtering.
1116530	The replacement message customization on self-service portal for QR-code display does not work.
1117287	Sample default value of {{:serial_number}} variable for Mobile token Replacement Messages shows HW token SN, not Mobile.
1117315	Unable to upload more than 1 custom image in Administration > Images with 100 users license.
1118263	RADIUS policy option “Allow OTP for EAP-MSCHAPv2 Authentication with FortiClient” not saved properly.
1119396	Blackduck OpenSSL upgrade for 6.x.
1119399	Blackduck Jinja2 upgrade to 3.1.5 for 6.x.
1119427	Blackduck cJSON upgrade to 1.7.18.
1119640	Even if the EAP server certificate is changed in the standalone primary, it is not used in load balancer and authentication fails.
1120130	No groups available in SCIM custom group selector.
1121019	Web server may not always present server certificate containing full trust chain.
1125103	Misleading log for EAP-TLS with non-imported remote user in user binding authentication mode.
1125142	Custom logo is not sent to FortiToken Mobile when provisioning FortiToken Mobile from the self-service portal.
1126112	Add wad watchdog module that restarts the service if it becomes unresponsive for over 5 minutes.
1126466	Remove/disable redundant LDAP bind for invalid authentication credentials.
1127526	Retrieving IdP metadata from a published URL returns 500 internal server error.
1127820	Blackduck to libxml2-2.12.10.
1128090	Service certificates without FQDN in CN cannot select for HTTPS-Service, even if the FQDN is in SAN DNS.
1130552	Attempt to browse a synced over OAuth Portal on LB node leads to an exception.
1131145	Display refresh tokens and authorization grants in the Monitor section.
1131675	FortiAuthenticator should log when an IAM account is created.
1133841	Groups sent in multiple RADIUS attributes ignored by RADIUS accounting-based FSSO.
1135456	FortiToken Mobile self-provisioning portal page is shown as blank for some users.
1136182	SAML IdP trusted endpoint SSO with MFA enabled (FortiToken Mobile) does not work for the remote SAML user.
1137647	Mutual authentication using certificates (EAP-TLS) for remote syslog does not check SAN.
1138108	Blackduck libfreetype6 upgrade.
1138226	FortiAuthenticator allows EAP-TLS authentication via revoked certs from CRL list.
1139016	Pre-existing TACACS+,OAuth policies on the primary node are synced to the LB node(s) even when syncing of these services is disabled.
1139380	Blackduck django and jinja2 upgrade.
1139476	Gateway timeout when loading local users page with a large number of users.
1140468	AD account email is returned by the SAML IdP instead of email in the remote LDAP user account config for the ’email’ assertion attribute.
1140469	Blackduck gunicorn upgrade for 6.x.
1140543	Secondary node SAML and captive portal showing 403 error on failover.
1140607	Generate log event when the token seed returned by PATCH to REST API.
1141438	Blackduck libxslt upgrade for 6.x.
1142208	SAML hardened login page unable to see the token labels.
1142775	Local user list with German characters cannot be exported/imported from the CSV file correctly.
1142917	Azure portal admin password reset functionality broken by Azure-side changes.
1142972	Invalid Relying party generates an empty log.
1143044	500 Internal server error when trying to add alternate email address in the self-service portal.
1144544	FortiClient not prompting for token when the user enters a wrong password when PCI DSS 3.2 2FA mode enabled on FortiAuthenticator.
1145910	Pressing Cancel when provisioning and validating an Offline FortiToken Mobile token will give internal server error.
1146361	Blackduck upgrade to liblzma5 for 6.6/6.x.
1146528	SAML generates no log in the case of a database error.
1146949	Usage profile check should be bypassed for admin GUI logins.
1146960	If a user has a maximum device limit in the usage profile then any authentications fails when RADIUS accounting is disabled.

Common Vulnerabilities and Exposures

Bug ID	CVE references
1054794	FortiAuthenticator 6.6.3 is no longer vulnerable to the following CVE-Reference(s): CVE-2024-3596

Notatki producenta: FortiAuthenticator 6.6.3

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

6.6.3 FortiAuthenticator FortiAuthenticator 6.6.3 Fortient