Fortinet udostępnił aktualizację FortiOS 7.0.16, która usuwa lukę CVE-2023-26207, dotyczącą zapisu wrażliwych danych, w tym haseł, w postaci zwykłego tekstu do plików logów w wersjach FortiOS 7.2.0–7.2.4 oraz FortiProxy 7.0.0–7.0.10. Rozwiązano także problem z mechanizmem DLP, który blokował pobieranie plików większych niż 5 MB przy włączonej inspekcji SSL, oraz błąd filtra DNS powodujący opóźnienia IPS Engine. Aktualizacja jest zalecana dla poprawy bezpieczeństwa i wydajności systemu.
Wspierane urządzenia:
FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG-400F, FG-401F, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1 |
FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
FortiFirewall | FFW-3980E, FFW-VM64, FFW-VM64-KVM |
FortiGate VM | FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Anti Virus
Bug ID | Description |
---|---|
948371 | Scanunit should no longer submit known infected files to FortiSandbox. |
Data Leak Prevention
Bug ID | Description |
---|---|
977334 | Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP profiles are enabled. |
DNS Filter
Bug ID | Description |
---|---|
1010464 | When the DNS filter is enabled with external-ip-blocklist , the IPS Engine remains in D status for an extended period of time and the DNS session ends. |
1026058 | When IP is not resolved or does not exist, the DNS alters the response for the domain and results in a performance issue on the client device. |
Explicit Proxy
Bug ID | Description |
---|---|
882867 | Proxy policy match resolves IP to multiple internet service application IDs. |
1014477 | Files do not get uploaded on webmail applications with antivirus, app control, or IPS enabled on an explicit proxy policy. |
Firewall
Bug ID | Description |
---|---|
935034 | The clock skew tolerance is not reflected. |
970179 | Unrelated route changes will cause the existing session to be marked dirty. |
985508 | When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate’s interface subnet and there is no firewall policy to allow the matched traffic. |
1016547 | When FortiGate forwards M/C packets to an interface with egress-shaping-profile enabled, an interruption occurs in the kernel. |
HA
Bug ID | Description |
---|---|
974749 | TCP/SCTP sessions count mismatch in an HA pair in A-P mode. |
1017177 | A WAD processing issue causes the SNMP to not respond in an HA cluster. |
1018937 | In a FortiGate HA configuration, the tunnel connection to FortiManager is disrupted due to a mismatched serial number and local certificate issue. |
1020982 | The hasync process encounters a CPU usage issue caused by frequent attempts to get the FIB for a deleted vdom. |
Intrusion Prevention
Bug ID | Description |
---|---|
1000223 | HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall, displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach the internal VIP address. |
IPsec VPN
Bug ID | Description |
---|---|
923150 | Some static tunnels in multiple VDOM HA setups do not come up after a firmware upgrade or restoring the configuration. |
950445 | After a third-party router failover, traffic traversing the IPsec tunnel is lost. |
1001602 | Using IPSec over back to back EMAC VLAN interfaces does not work as expected with NPU offload enabled. |
1003830 | IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform. |
1009332 | Traffic is interrupted on SPOKEs after upgrading to version 7.0.14 due to one NPU SA race condition. |
1042324 | The Phase1 monitor BGP remains active when the tunnel is DOWN. |
Log & Report
Bug ID | Description |
---|---|
872493 | Disk logging files are cached in the kernel, causing high memory usage. |
993476 | FortiGate encounters a CPU usage issue after rebooting with multiple VDOMs configured. |
1005171 | After upgrading to version 7.0.14, the system event log generates false positives for individual ports that are not used in any configuration. |
Proxy
Bug ID | Description |
---|---|
837568 | Restricted SaaS access does not work as expected when config ssl inspect-all is enabled. |
871273 | When the kernel API tries to access the command buffer, the device enters D state due to a kernel interruption. |
922093 | CPU usage issue in WAD caused by source port exhaustion when using WAN optimization. |
933502 | When a forward server with proxy authorization is configured with certain traffic, a memory usage issue in the WAD process interrupts the operation of FortiGate. |
949464 | On FortiGate, a memory usage issue in the WAD process may cause the unit to enter into conserve mode. |
979361 | After an upgrade, FortiOS encounters an error condition in the application daemon wad caused by an SSL cache error. |
982553 | After upgrading from version 6.4.13 to version 7.0.12 or 7.0.13, FortiGate experiences a memory usage issue. |
1003481 | FortiGate may not work as expected due to an error condition in the daemon WAD. |
1039006 | Some websites cannot open subpages when the HTTP2 header value exceeds 16MB. |
1048296 | FortiGate experiences an HTTP2 framing error when accessing websites using proxy mode with deep inspection configured due to a frame sizing issue in the WAD process. |
REST API
Bug ID | Description |
---|---|
859680 | In an HA setup with vCluster, a CMDB API request to the primary cluster does not synchronize the configuration to the secondary cluster. |
Routing
Bug ID | Description |
---|---|
852498 | BGP packets are marked with DSCP CS0 instead of CS6. |
900770 | DHCP relay fails after a period of time with SD-WAN. |
932092 | API call returns recursive next-hop for the gateway address. |
978683 | The link-down-failover command does not bring the BGP peering down when the IPsec tunnel is brought down on the peer FortiGate. |
989012 | The ICMP_TIME_EXCEEDED packet does not follow the original ICMP path displays the incorrect traceroute from the user. |
1031394 | On the Network > Routing Objects page, the Set AS path on the Edit Rule pane does not allow the use of the full range AS numbers. |
SSL VPN
Bug ID | Description |
---|---|
999378 | When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an email, it tries to write it in a read-only folder. |
1003672 | When RDP is accessed through SSL VPN web mode, keyboard strokes on-screen lag behind what is being typed by users. |
1004633 | FortiGate does not respond to ARP packets related to SSL VPN client IP addresses. |
1018928 | A CPU usage issue occurs in the tvc daemon when the vpn server cannot be reached. |
1024837 | OneLogin SAML does not work with SSL VPN after upgrading to version 7.0.15 or 7.4.3. |
1048915 | The SSL VPN web mode flag is determined incorrectly causing the authenticated POST request to be dropped. |
1061165 | SSL VPN encounters a signal 11 interruption and does not work as expected due to a word-length heap memory issue. |
System
Bug ID | Description |
---|---|
820268 | VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform. |
846399 | Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved. |
863542 | FortiGate devices configured behind a proxy may not connect to the FortiToken Mobile server, leading to errors when provisioning tokens. |
872391 | The session output of dia sys npu-session list shows wrong duration when the session is very long (+40 hours). |
885057 | Add 100G speed option on the FortiGate 1800F. |
901721 | In a certain edge case, traffic directed towards a VLAN interface could cause a kernel interruption. |
907752 | On FortiGate 1000D models, the SFP 1G port randomly experiences flapping during operation. |
915585 | Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19. |
917827 | Delay sending LACPDU in kernel 4.19. |
920320,
1029447 |
FortiGate encounters increasing Rx_CRC_Errors on SFP ports on the NP6 platform when an Ethernet frame contains carrier extension symbols to Cisco devices. |
931604 | The FortiGate checksum changes and the FortiManager Backup Mode device status becomes out-of-sync. |
932002 | Possible infinite loop can cause FortiOS to become unresponsive until the FortiGate goes through a power cycle. |
939935 | High CPU usage caused by DHCP packets. |
943615 | When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed. |
947398 | When an EMAC VLAN interface is set up on top of a redundant interface, the kernel may encounter an error when rebooting. |
954529 | The diagnose npu sniffer stop command can lead to a traffic outage. |
957135 | EMAC VLAN interface uses two MAC addresses when it should only use an internally generated MAC address. |
957846 | High CPU usage caused by DHCP packets. |
981433 | The ipmcsensord does not work as expected when executing sensor-related commands before the high-end device sensor finishes booting up. |
991925 | The EMAC VLAN, with a vlanid over a physical interface and a VIP configuration, has the incorrect mac address once traffic is offloaded. |
995442 | FortiGate may generate a Power Redundancy Alarm error when there is no power loss. The error also does not show up in the system log. |
999816 | FortiGate 100 models may become unresponsive and prevent access to the GUI, requiring a reboot to regain access due to an issue with the SOC3. |
1001133 | After an upgrade, FortiGate receives a PSU RPS LOST traps error despite not having any RPS connected. |
1001601 | A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific configuration. |
1003026 | On SoC3/SoC4 platforms, a kernel interruption may occur when running WAD monitoring scripts. |
1004231 | FortiGate loses connections to FortiManager due to a fatal unknown CA after upgrading from version 7.0.13 to 7.0.14. |
1018843 | When FortiGate experiences a memory usage issue and enters into conserve mode, the system file integrity check may not work as expected and cause the device to shutdown. |
1025114 | Insufficient free memory on entry-level Fortigate devices with 2 GB RAM may cause unexpected behavior in the IPS engine. |
1033589 | In a policy-based NGFW, when configuring the FSSO Agent on Windows AD External Connector, traffic is not forwarded. |
1037075 | On FortiGate, an interruption occurs in the kernel when running WAD process monitoring scripts. |
1037393 | FortiGate reboots due to the maximum buffer length difference between nTurbo and NPU HW. NPU will fragment packets which are more than 10000, but carries wrong extend info to nTurbo in the 2nd fragment. |
1041457 | The kernel 4.19 cannot concurrently reassemble IPv4 fragments for a source IP with more than 64 destination IP addresses. |
1043205 | After upgrading to 7.0.12, the FortiGate to FortiManager tunnel with a load balancer in between no longer operates as expected. |
1069554 | Upgrading directly from 7.2.4 or earlier versions to 7.2.9, or directly from 7.0.11 or earlier to 7.2.9 is not supported. Users must upgrade following the recommended upgrade path to avoid system hanging. |
Upgrade
Bug ID | Description |
---|---|
925567 | When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path. |
VM
Bug ID | Description |
---|---|
909368 | If Azure accelerated networking is enabled, IPsec traffic cannot be redistributed using round-robin. This results in a CPU usage issue. |
1006570 | VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM. |
1046696 | A FortiGate VM HA in Azure Cloud may intermittently go out of synchronization due to an issue in the daemon process. |
1054244 | FortiToken does not work as expected after moving a FortiGate-VM license to a new VM with the same serial number. |
1073016 | The OCI SDN connector cannot call the API to the Oracle service when an IAM role is enabled. |
VoIP
Bug ID | Description |
---|---|
1004894 | VOIPD experiences high memory usage and enters into conserve mode. |
Web Filter
Bug ID | Description |
---|---|
1002266 | Web filtering does not update rating servers if there is a FortiGuard DNS change. |
WiFi Controller
Bug ID | Description |
---|---|
985265 | HA setup hostapd issue during stress test. |
989929 | An kernel interruption occurs on FWF-40F/60F models when WiFi stations connect to SSID on the local radio. |
1001672 | FortiWiFi reboots or becomes unresponsive when connecting to SSID after upgrading to 7.0.14. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID | CVE references |
---|---|
858921 | FortiOS 7.0.16 is no longer vulnerable to the following CVE Reference:
|
Notatki producenta: FortiOS 7.0.16 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie