Najnowsza wersja oprogramowania produktu FortiManager oznaczona numerem 6.2.9 ujrzała właśnie światło dzienne! Dzięki aktualizacji, producent naprawił podatności w zabezpieczeniach:

CVE – 2021-32598 – Podatność dotycząca, umożliwienia uwierzytelnionemu i zdalnemu napastnikowi wykonanie ataku z podziałem żądań HTTP, który daje atakującym kontrolę nad pozostałymi nagłówkami i treścią odpowiedzi.

CVE-2021-32587 – Podatność dotycząca, umożliwienia zdalnemu i uwierzytelnionemu napastnikowi z ograniczonym profilem użytkownika pobrać listę użytkowników administracyjnych innych obiektów ADOM i ich powiązaną konfigurację.

Również dzięki aktualizacji, zostały skorygowane problemy wcześniejszych wersji. Działanie procesów VDOM i ADOM zostało poprawione w większym stopniu do poprzednich wersji. Po więcej szczegółowych informacji, zapraszam do dalszej części artykułu.

Rozwiązane problemy:

Device Manager

Bug ID	Description
665207	FortiManager needs IPv6 support on Syslog server setting.
697098	Retrieving HA configuration may fail when adding FortiGate.
701348	Once VRPP instance is created, user should be able to edit or delete it.
711713	DHCP relay is displayed as DHCP server when workspace is unlocked.
718184	AutoUpdate with „unset options” & „unset post-lang” may cause device database and policy package status shown as OUT-OF-SYNC.
719028	FortiManager may not update FortiGate’s VDOM license information when it is changed.
735066	FortiManager may not be able to create a VDOM link via Device Manager with an error on „invalid vdom” message.
739369	When revision history is very large, FortiManager may not be able to retrieve configuration.
742960	After locked a FortiGate in workspace mode, FortiManager may not show button to upgrade the FortiGate’s firmware.

Global ADOM

Bug ID	Description
680798	FortiManager may return error, „Could not read zone validation results”, when assigning global ADOM changes with „Automatically Install Policies to ADOM Devices”.
728803	Copying global firewall policy may fail due to duplicate IPS sensors.
741942	FortiManager should show clear error message for duplicated object assigned from Global ADOM.
745772	FortiManager may randomly delete FortiManager IPv4 policies when assigning from the Global ADOM.
753299	FortiManager cannot save scripts in Global ADOM.

Others

Bug ID	Description
657997	Assigning device to system template may not work via JSON when FortiManager is in workspace mode.
724470	dmworker may crash on device retrieve or revision import.
728375	JSON API may return „runtime error 0: invalid value” error when getting dynamic mapping with „fields” attribute.
740523	Retrieve task may fail due to autoupdate file already been deleted by fgfm.
742137	FortiManager may return an error when running an Ansible script to configure network interfaces, zones, and policies.

Policy and Objects

Bug ID	Description
642708	View Mode may unexpectedly change from Interface Pair View to By Sequence mode.
664655	Export policy in CSV may result in an empty file.
686911	Workflow session may not be able to compare with error: „Can not compare because of invalid Revision Diff data”.
704637	FortiManager allows VIP to be configured without default value or dynamic mapping.
709908	When checking the status on AntiVirus profile, it may not show the correct inspection mode in list view with status stays in „flow-based (Full Scan)”.
711679	IPS custom object and signature name should be unique across all VDOMs.
715269	„CVE-2021-26857” default action should be Drop on the FortiManager when the IPS version is greater than 18.028.
715275	FortiManager may not be able to show specific signature.
715722	Users may not be able to delete global object.
738475	Special characters within policy’s comment causes all policies missing on GUI.
740944	Custom IPS Signature script may fail to run on policy package or ADOM database.

Revision History

Bug ID	Description
691240	FortiManager should not unset the value forward-error-correction with certain FortiGate platforms.
711314	VDOM specific 'Disclaimer Page’ configuration is purged from 'default’ replacemsg-group during Policy Package installation.
725717	After upgrade, installation may fail due to mcast-session-counting.
735455	FortiManager may try to delete thousands of policies during install.
742242	Install fails after upgrade due to „set server-identity-check enable” on LDAP server configuration.
755687	FortiManager may show admin with no password when adding a new VDOM to FortiGate-2200E/2201E.

Script

Bug ID	Description
715305	When changing system setting opmode from nat to transparent via a script, FortiManager may return failure to commit to database stating that there is no interface.
721740	FortiManager may fail to run CLI script on Device DB after dmworker crash.
740938	Direct CLI script may fail when it contains an 'exec’ command.
755606	Running script to create transparent VDOM may fail.

Services

Bug ID	Description
688498	FortiSwitch version shown in the FortiGuard package page is not seen on FortiGate.
733174	FortiManager may not be able to recognize the object id 06002000NIDS02604 as IPS Signature Database(Extended).

System Settings

Bug ID	Description
711446	Copy may fail due to invalid protocol options when both FortiGate and ADOM are upgraded to v6.2.
715590	As soon as a policy-package is located within two nested folders, locked policy packages must be shown and took into account in Settings > Admin Sessions.
738778	ADOM upgrade may fail from version 5.4 to 5.6 due to incorrect check on policy block.

VPN Manager

Bug ID	Description
712861	Policy Package Status stays Synchronized despite SSL-VPN Portal configuration is changed using VPN Manager.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	Description
714934	FortiManager 6.2.9 is no longer vulnerable to the following CVE-Reference: CVE-2021-32587
715916	FortiManager 6.2.9 is no longer vulnerable to the following CVE-Reference: CVE-2021-32598

 

Notatki producenta: FortiManager 6.2.9

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

6.2.9 FortiManager FortiManager 6.2.9