Fortinet udostępnił aktualizację FortiOS 7.0.16, która usuwa lukę CVE-2023-26207, dotyczącą zapisu wrażliwych danych, w tym haseł, w postaci zwykłego tekstu do plików logów w wersjach FortiOS 7.2.0–7.2.4 oraz FortiProxy 7.0.0–7.0.10. Rozwiązano także problem z mechanizmem DLP, który blokował pobieranie plików większych niż 5 MB przy włączonej inspekcji SSL, oraz błąd filtra DNS powodujący opóźnienia IPS Engine. Aktualizacja jest zalecana dla poprawy bezpieczeństwa i wydajności systemu.

Wspierane urządzenia:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG-400F, FG-401F, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate Rugged	FGR-60F, FGR-60F-3G4G
FortiFirewall	FFW-3980E, FFW-VM64, FFW-VM64-KVM
FortiGate VM	FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Rozwiązane problemy:

Anti Virus

Bug ID	Description
948371	Scanunit should no longer submit known infected files to FortiSandbox.

Data Leak Prevention

Bug ID	Description
977334	Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP profiles are enabled.

DNS Filter

Bug ID	Description
1010464	When the DNS filter is enabled with external-ip-blocklist, the IPS Engine remains in D status for an extended period of time and the DNS session ends.
1026058	When IP is not resolved or does not exist, the DNS alters the response for the domain and results in a performance issue on the client device.

Explicit Proxy

Bug ID	Description
882867	Proxy policy match resolves IP to multiple internet service application IDs.
1014477	Files do not get uploaded on webmail applications with antivirus, app control, or IPS enabled on an explicit proxy policy.

Firewall

Bug ID	Description
935034	The clock skew tolerance is not reflected.
970179	Unrelated route changes will cause the existing session to be marked dirty.
985508	When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate’s interface subnet and there is no firewall policy to allow the matched traffic.
1016547	When FortiGate forwards M/C packets to an interface with egress-shaping-profile enabled, an interruption occurs in the kernel.

HA

Bug ID	Description
974749	TCP/SCTP sessions count mismatch in an HA pair in A-P mode.
1017177	A WAD processing issue causes the SNMP to not respond in an HA cluster.
1018937	In a FortiGate HA configuration, the tunnel connection to FortiManager is disrupted due to a mismatched serial number and local certificate issue.
1020982	The hasync process encounters a CPU usage issue caused by frequent attempts to get the FIB for a deleted vdom.

Intrusion Prevention

Bug ID	Description
1000223	HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall, displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach the internal VIP address.

IPsec VPN

Bug ID	Description
923150	Some static tunnels in multiple VDOM HA setups do not come up after a firmware upgrade or restoring the configuration.
950445	After a third-party router failover, traffic traversing the IPsec tunnel is lost.
1001602	Using IPSec over back to back EMAC VLAN interfaces does not work as expected with NPU offload enabled.
1003830	IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform.
1009332	Traffic is interrupted on SPOKEs after upgrading to version 7.0.14 due to one NPU SA race condition.
1042324	The Phase1 monitor BGP remains active when the tunnel is DOWN.

Log & Report

Bug ID	Description
872493	Disk logging files are cached in the kernel, causing high memory usage.
993476	FortiGate encounters a CPU usage issue after rebooting with multiple VDOMs configured.
1005171	After upgrading to version 7.0.14, the system event log generates false positives for individual ports that are not used in any configuration.

Proxy

Bug ID	Description
837568	Restricted SaaS access does not work as expected when config ssl inspect-all is enabled.
871273	When the kernel API tries to access the command buffer, the device enters D state due to a kernel interruption.
922093	CPU usage issue in WAD caused by source port exhaustion when using WAN optimization.
933502	When a forward server with proxy authorization is configured with certain traffic, a memory usage issue in the WAD process interrupts the operation of FortiGate.
949464	On FortiGate, a memory usage issue in the WAD process may cause the unit to enter into conserve mode.
979361	After an upgrade, FortiOS encounters an error condition in the application daemon wad caused by an SSL cache error.
982553	After upgrading from version 6.4.13 to version 7.0.12 or 7.0.13, FortiGate experiences a memory usage issue.
1003481	FortiGate may not work as expected due to an error condition in the daemon WAD.
1039006	Some websites cannot open subpages when the HTTP2 header value exceeds 16MB.
1048296	FortiGate experiences an HTTP2 framing error when accessing websites using proxy mode with deep inspection configured due to a frame sizing issue in the WAD process.

REST API

Bug ID	Description
859680	In an HA setup with vCluster, a CMDB API request to the primary cluster does not synchronize the configuration to the secondary cluster.

Routing

Bug ID	Description
852498	BGP packets are marked with DSCP CS0 instead of CS6.
900770	DHCP relay fails after a period of time with SD-WAN.
932092	API call returns recursive next-hop for the gateway address.
978683	The link-down-failover command does not bring the BGP peering down when the IPsec tunnel is brought down on the peer FortiGate.
989012	The ICMP_TIME_EXCEEDED packet does not follow the original ICMP path displays the incorrect traceroute from the user.
1031394	On the Network > Routing Objects page, the Set AS path on the Edit Rule pane does not allow the use of the full range AS numbers.

SSL VPN

Bug ID	Description
999378	When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an email, it tries to write it in a read-only folder.
1003672	When RDP is accessed through SSL VPN web mode, keyboard strokes on-screen lag behind what is being typed by users.
1004633	FortiGate does not respond to ARP packets related to SSL VPN client IP addresses.
1018928	A CPU usage issue occurs in the tvc daemon when the vpn server cannot be reached.
1024837	OneLogin SAML does not work with SSL VPN after upgrading to version 7.0.15 or 7.4.3.
1048915	The SSL VPN web mode flag is determined incorrectly causing the authenticated POST request to be dropped.
1061165	SSL VPN encounters a signal 11 interruption and does not work as expected due to a word-length heap memory issue.

System

Bug ID	Description
820268	VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.
846399	Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.
863542	FortiGate devices configured behind a proxy may not connect to the FortiToken Mobile server, leading to errors when provisioning tokens.
872391	The session output of dia sys npu-session list shows wrong duration when the session is very long (+40 hours).
885057	Add 100G speed option on the FortiGate 1800F.
901721	In a certain edge case, traffic directed towards a VLAN interface could cause a kernel interruption.
907752	On FortiGate 1000D models, the SFP 1G port randomly experiences flapping during operation.
915585	Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19.
917827	Delay sending LACPDU in kernel 4.19.
920320, 1029447	FortiGate encounters increasing Rx_CRC_Errors on SFP ports on the NP6 platform when an Ethernet frame contains carrier extension symbols to Cisco devices.
931604	The FortiGate checksum changes and the FortiManager Backup Mode device status becomes out-of-sync.
932002	Possible infinite loop can cause FortiOS to become unresponsive until the FortiGate goes through a power cycle.
939935	High CPU usage caused by DHCP packets.
943615	When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed.
947398	When an EMAC VLAN interface is set up on top of a redundant interface, the kernel may encounter an error when rebooting.
954529	The diagnose npu sniffer stop command can lead to a traffic outage.
957135	EMAC VLAN interface uses two MAC addresses when it should only use an internally generated MAC address.
957846	High CPU usage caused by DHCP packets.
981433	The ipmcsensord does not work as expected when executing sensor-related commands before the high-end device sensor finishes booting up.
991925	The EMAC VLAN, with a vlanid over a physical interface and a VIP configuration, has the incorrect mac address once traffic is offloaded.
995442	FortiGate may generate a Power Redundancy Alarm error when there is no power loss. The error also does not show up in the system log.
999816	FortiGate 100 models may become unresponsive and prevent access to the GUI, requiring a reboot to regain access due to an issue with the SOC3.
1001133	After an upgrade, FortiGate receives a PSU RPS LOST traps error despite not having any RPS connected.
1001601	A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific configuration.
1003026	On SoC3/SoC4 platforms, a kernel interruption may occur when running WAD monitoring scripts.
1004231	FortiGate loses connections to FortiManager due to a fatal unknown CA after upgrading from version 7.0.13 to 7.0.14.
1018843	When FortiGate experiences a memory usage issue and enters into conserve mode, the system file integrity check may not work as expected and cause the device to shutdown.
1025114	Insufficient free memory on entry-level Fortigate devices with 2 GB RAM may cause unexpected behavior in the IPS engine.
1033589	In a policy-based NGFW, when configuring the FSSO Agent on Windows AD External Connector, traffic is not forwarded.
1037075	On FortiGate, an interruption occurs in the kernel when running WAD process monitoring scripts.
1037393	FortiGate reboots due to the maximum buffer length difference between nTurbo and NPU HW. NPU will fragment packets which are more than 10000, but carries wrong extend info to nTurbo in the 2nd fragment.
1041457	The kernel 4.19 cannot concurrently reassemble IPv4 fragments for a source IP with more than 64 destination IP addresses.
1043205	After upgrading to 7.0.12, the FortiGate to FortiManager tunnel with a load balancer in between no longer operates as expected.
1069554	Upgrading directly from 7.2.4 or earlier versions to 7.2.9, or directly from 7.0.11 or earlier to 7.2.9 is not supported. Users must upgrade following the recommended upgrade path to avoid system hanging.

Upgrade

Bug ID	Description
925567	When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path.

VM

Bug ID	Description
909368	If Azure accelerated networking is enabled, IPsec traffic cannot be redistributed using round-robin. This results in a CPU usage issue.
1006570	VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM.
1046696	A FortiGate VM HA in Azure Cloud may intermittently go out of synchronization due to an issue in the daemon process.
1054244	FortiToken does not work as expected after moving a FortiGate-VM license to a new VM with the same serial number.
1073016	The OCI SDN connector cannot call the API to the Oracle service when an IAM role is enabled.

VoIP

Bug ID	Description
1004894	VOIPD experiences high memory usage and enters into conserve mode.

Web Filter

Bug ID	Description
1002266	Web filtering does not update rating servers if there is a FortiGuard DNS change.

WiFi Controller

Bug ID	Description
985265	HA setup hostapd issue during stress test.
989929	An kernel interruption occurs on FWF-40F/60F models when WiFi stations connect to SSID on the local radio.
1001672	FortiWiFi reboots or becomes unresponsive when connecting to SSID after upgrading to 7.0.14.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
858921	FortiOS 7.0.16 is no longer vulnerable to the following CVE Reference: CVE-2023-26207

Notatki producenta: FortiOS 7.0.16 Release Notes

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

CVE-2023-26207 Fortinet FortiOS FortiOS 7.0.16