Producent oprogramowania Fortinet w najnowszej aktualizacji dla FortiManager w wersji 7.0.10 informuje, o wprowadzonych poprawkach dotyczących podatności CVE-2023-42782, CVE-2023-42787, CVE-2023-44249. Podatności te dotyczyły możliwości wysyłania komunikatów do serwera syslog FortiAnalyzer poprzez znajomość autoryzowanego numeru seryjnego urządzenia. Kolejna z luk w zabezpieczeniach mogła umożliwiać zdalnemu atakującemu z niskimi uprawnieniami dostęp do uprzywilejowanej konsoli poprzez wykonanie kodu po stronie klienta. Ostatnia z podatności pozwalała na obejście autoryzacji, która mogła umożliwić zdalnemu atakującemu z niskimi uprawnieniami odczytanie poufnych informacji za pośrednictwem spreparowanych żądań HTTP. Więcej szczegółów dotyczących aktualizacji w artykule poniżej.
Aktualnie wspierane modele:
| FortiManager | FMG-200F, FMG-200G, FMG-300F, FMG-400E, FMG-400G, FMG-1000F, FMG-2000E
FMG-3000F, FMG-3000G, FMG-3700F, FMG-3700G, and FMG-3900E. |
| FortiManager VM | FMG_DOCKER, FMG-VM64, FMG_VM64_ALI, FMG-VM64-AWS, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-IBM, FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen). |
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 861941 | FortiManager attempts to install „arrp-profile” even if „darrp” is disabled. |
| 889811 | Under WIFI and switch controller for Managed FortiAPs there is not any LLDP info found. |
Device Manager
| Bug ID | Description |
|---|---|
| 472443 | FortiManager does not retrieve any of the profiles and addresses in the format of „g-XXX” from FortiGates when VDOMs are enabled. |
| 723720 | „strong-crypto” feature change under the CLI configuration cannot be installed to FortiGate. |
| 811104 | Import policy package fails after installing web-proxy through CLI configurations. |
| 949546 | When assigning interfaces to a zone in a vdom, it is not visible in Device Manager. |
| 949646 | Static route changes made in FortiManager do not appear in the installation preview. |
Global ADOM
| Bug ID | Description |
|---|---|
| 906058 | Firewall address cannot be deleted from Global ADOM; it displays an error message indicating that the object is being used in ADOM root. |
| 925188 | The per-device mapping for any assigned global objects cannot be modified. |
Others
| Bug ID | Description |
|---|---|
| 813443 | FortiManager does not support the FGT-GCP different IP addresses on interfaces and different source DNS IP. |
| 885665 | Unable to specify type of objects in FortiProxy ADOM. |
| 891253 | The firmware upgrade is successful; however, the task line does not get updated for the retrieve action when device names exceed the predefined character limit. |
| 941203 | FortiManager does not support the use of Certificate Templates to create certificates with a „range=global” setting for FortiGates operating in multi-vdom mode. |
| 957433 | When creating the FortiManager/FortiAnalyzer docker instances, UUID is missing under the „diagnose debug vminfo„. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 468776
825873 |
FortiManager does not support FortiGate/FortiOS global scope (g-) objects. |
| 630648 | A FortiManager instance running on Microsoft Azure is unable to import the SDN connector for a dynamic firewall address and is displaying an error message stating „wrong input parameter.” |
| 696367 | Hit count, first used, and last used may not get updated on FortiManager. |
| 725427 | Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy. |
| 793240 | FortiManager fails to retrieve FortiGate’s configuration when external-resource objects include a „g-” prefix. |
| 855073 | The „where used” feature does not function properly. |
| 875103 | Local categories gets purged if used in Profile Mode Security Profiles. |
| 889586 | Azure Service Tags not displayed correctly in FortiManager. |
| 894597 | Default value for „unsupported-ssl-version” in ssl-ssh-profile gets modified during the installation. |
| 899226 | Unable to create Central SNAT explicit port translations on FortiManager. |
| 914945 | Unable to modify or clone the „SSL/SSH inspection profile” in the Policy & Object on the ADOM 7.0 version. |
| 920983 | The policy blocks using a group object do not get updated when the objects within the group are modified. |
| 924680 | Policy packages containing geo-based ISDB objects may not be successfully installed to the FortiGates. |
| 942659 | Syncing EMS tags from FortiManager fails when the EMS Connector is configured in multi-site mode. |
Revision History
| Bug ID | Description |
|---|---|
| 904710 | Restoring a revision of a policy removes the information of all the SD-WAN rules. |
Script
| Bug ID | Description |
|---|---|
| 931196 | Scheduled Scripts created by the ldap users cannot be run and FortiManager displays „Data is not ready” error message. |
Services
| Bug ID | Description |
|---|---|
| 863094 | The query status is not functioning correctly, and the 'top 10 unrated sites’ section actually displays ratings. |
| 938365 | FortiManager’s GUI does not display an option under FortiGuard Settings to support the 7.2 version for FortiClient and FortiMail. |
System Settings
| Bug ID | Description |
|---|---|
| 842732 | FortiManager does not display the Secondary HA member’s status correctly. |
| 936694 | After removing a device, FortiManager generates repeated „sync dvmdb to faz” tasks for all logged-in administrative users. |
Common Vulnerabilities and Exposures
| Bug ID | CVE references |
|---|---|
| 904375 | FortiManager 7.0.10 is no longer vulnerable to the following CVE Reference:
|
| 928114 | FortiManager 7.0.10 is no longer vulnerable to the following CVE Reference:
|
| 941847 | FortiManager 7.0.10 is no longer vulnerable to the following CVE Reference:
|
Notatki producenta: FortiManager 7.0.10
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
