Producent urządzeń zabezpieczeń sieciowych Fortinet przedstawił najnowszy update dla FortiOS w wydaniu 7.0.14 a w nim wiele poprawek i ulepszeń takich jak załatanie podatności CVE-2023-38545 która mogła pozwolić zdalnemu nieuwierzytelnionemu atakującemu na wykonanie dowolnego kodu lub poleceń za pośrednictwem specjalnie spreparowanych żądań. Ponadto naprawiono błędy związane z SSL VPN, które blokowały urządzeniom mobilnym iOS i Android łączenie się z tunelem SSL VPN oraz problemy systemowe związane z ruchem ISP na interfejsach LAG i wiele więcej. Dodatkowe informacje można znaleźć w artykule poniżej.

Wspierane modele:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG- 71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG- 90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG- 201F, FG-300E, FG-301E, FG-400E, FG-400E-BP, FG-400F, FG-401F, FG-401E, FG-500E, FG-501E, FG-600E, FG-601E, FG- 600F, FG-601F, FG-800D, FG-900D, FG-1000D, FG-1100E, FG-1101E, FG-1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG-3200D, FG-3300E, FG-3301E, FG- 3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG-3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG-5001E1
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
Wytrzymały FortiGate	FGR-60F, FGR-60F-3G4G
FortiFirewall	FFW-3980E, FFW-VM64, FFW-VM64-KVM
Maszyna wirtualna FortiGate	FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-GCP, FG-VM64- HV, FG-VM64-IBM, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
Obrazy płatne zgodnie z rzeczywistym użyciem	FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Rozwiązane problemy:

Application Control

Bug ID	Description
820481	For firewall policies using inspection-mode proxy, some HTTP/2 sessions may be invalidly detected as unknown application.

DNS Filter

Bug ID	Description
907365	DNS proxy caches DNS responses with only one CNAME record.

Explicit Proxy

Bug ID	Description
901627	Explicit proxy and SD-WAN issue occurs.
942612	Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.
978473	Explicit proxy policy function issues when matching external-threat feed categories.

Firewall

Bug ID	Description
898938	NAT64 does not recover when the interface changes.
953907	Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F.
977641	In transparent mode, multicast packets are not forwarded through the bridge and are dropped.

GUI

Bug ID	Description
848660	Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.
867802	GUI always displays Access denied error after logging in.
874502	A prompt to Login as ReadOnly/ReadWrite is not displayed when post-login-banner is enabled on a FortiGate managed by FortiManager.
969101	Managed FortiAP-s page is not loading for non super-admin users.

HA

Bug ID	Description
871636	HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.
904117	When walking through the session list to change the ha_id, some dead sessions could be freed one more time.
924671	There is no response on ha-mgmt-interfaces after a reboot when using a VLAN interface based on hd-sw as the ha-mgmt interface.
937246	An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.
949352	The user.radius checksum is the same in both HA units, but the GUI shows a different checksum on the secondary and the HA status is out of sync.
962681	In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list) might be empty on secondary units.

Hyperscale

Bug ID	Description
839958	service-negate does not work as expected in a hyperscale deny policy.
940511	In some cases, carrier-grade NAT is dropping traffic.
984852	The HA/AUX ports are not enabled on boot up when using the NPU path option

Intrusion Prevention

Bug ID	Description
923393	IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.

IPsec VPN

Bug ID	Description
897867	IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.
898961	diagnose traffictest issues with dynamic IP addresses and loopback interfaces.
914418	File transfer stops after a while when offloading is enabled.
921691	In FGSP, IKE routes are not removed from the kernel when secondary-add-ipsec-routes is disabled.
926002	Incorrect traffic order in IPsec aggregate redundant member list after upgrade.
945873	Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition.
950012	IPsec tunnels stuck on NP6XLite spoke drop the ESP packet.
950445	After a third-party router failover, traffic traversing the IPsec tunnel is lost.
961305	FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address.
968218	When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.

Log & Report

Bug ID	Description
940814	Administrators without read permissions for the threat weight feature cannot see the event log menu.
954565	Although there is enough disk space for logging, IPS archive full message is shown.
965247	FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.
967692	The received traffic counter is not increasing when the traffic is HTTPS with webfilter.
987261	In the webfilter content block UTM log in proxy inspection mode, sentbyte and rcvdbyte are zero.

Proxy

Bug ID	Description
790426	An error case occurs in WAD while redirecting the web filter HTTPS sessions.
806556	Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile.
828917, 919781	Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.
845361	When a client opens two files and sends a compounded request to read and close file A, this causes file B to be closed twice and WAD to crash.
940149	Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.
947814	Too many redirects on TWPP after the second KRB keytab is configured.
954104	An error case occurs in WAD when WAD gets the external authenticated users from other daemons.

Routing

Bug ID	Description
781483	Incorrect BGP Originator_ID from route reflector seen on receiving spokes.
890954	The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.
897666	Issue with SD-WAN rule for FortiGuard.
914815	FortiGate 40F-3G4G not adding LTE dynamic route to route table.
926525	Routing information changed log is being generated from secondary in an HA cluster.
952908	Locally originated type 5 and 7 LSAs’ forward address value is incorrect.
954100	Packet loss status in SD-WAN health check occur after an HA failover.

Security Fabric

Bug ID	Description
782518	Threat feeds are showing that the connection status has not started when it should be connected.
841364	Cisco APIC SDN update times out on large datasets.
956423	In HA, the primary unit may sometimes show a blank GUI screen.

SSL VPN

Bug ID	Description
894704	FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.
898889	The internal website does not load completely with SSL VPN web mode.
906756	Update SSL VPN host check logic for unsupported OS.
957406	OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.

Switch Controller

Bug ID	Description
816790	Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.
858749	Redirected traffic should not hit the firewall policy when allow-traffic-redirect is enabled.
911232	Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.
937065	An exported FortiSwitch port is not correctly showing up/down status.

System

Bug ID	Description
631046	diagnose sys logdisk smart does not work for NVMe disk models.
733096	FG-100F HA secondary’s unused ports flaps from down to up, then to down.
763739	On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.
861661	SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.
882187	FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
888655	FortiGate queries system DNS for A <Root> and AAAA <Root> servers.
894045	Sensor information widget continuously loading.
909225	ISP traffic is failing with the LAG interfaces on upstream switches.
910700	Ports are flapping and down on the FortiGate 3980E.
912092	FortiGate does not send ARP probe for UDP NP-offloaded sessions.
916493	Fail detection function does not work properly on X1 and X2 10G ports.
919901	For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.
926817	Review the temperature sensor for the SoC4 system.
929904	When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7.
937982	High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.
938174	ARP issue with VXLAN over IPsec and Soft Switch.
938981	The virtual server http-host algorithm is redirecting requests to an unexpected server.
943948	FortiGate as L2TP client is not working with Cisco ASR as L2TP server.
946413	Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.F
947240	FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.
955074	MSS clamping is not working on VXLAN over IPsec after upgrading.
960707	Egress shaping does not work on NP when applied on the WAN interface.
962153	A port that uses a copper-transceiver does not update the link status in real-time.
963600	SolarWinds unable to negotiate encryption, no matching host key type found.
966761	SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented.
971404	Session expiration does not get updated for offloaded traffic between a specific host range.
977231	An error condition occurred in fgfm caused by an out-of-band management configuration.

User & Authentication

Bug ID	Description
837185	Automatic certificate name generation is the same for global and VDOM remote certificates, which can cause certificates to exist with the same name.
864703	ACME client fails to work with some CA servers.
868994	FortiGate receives FSSO user in the format of HOSTNAME$.

VM

Bug ID	Description
938382	OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.
968740	Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.

WAN Optimization

Bug ID	Description
954541	In WANOpt transparent mode, WAN optimization does not keep the original source address of the packets.

Web Filter

Bug ID	Description
925801	Custom Images are not seen on Web Filter block replacement page for HTTP traffic in flow mode.
982156	The URL local/user category rating result has only one best match category (longest URL pattern match), and other matched local/user categories cannot be chosen even if the category is configured in the profile.

WiFi Controller

Bug ID	Description
874997	Fetching the registration status does not always work.

 

Common Vulnerabilities and Exposures

 

Bug ID	CVE references
959918	FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference: CVE-2023-38545

Notatki producenta: FortiOS 7.0.14

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiOS FortiOS 7.0.14