Producent oprogramowania Fortinet opublikował właśnie najnowszą wersję oprogramowania FortiOS dla urządzeń FortiGate o numerze wersji 7.0.3. W najnowszej wersji rozwiązano problem podatności urządzeń na atak poprzez luki w zabezpieczeniu o oznaczeniach:
- CVE-2021-42757 – Przepełnienie bufora [CWE-121] w bibliotece klienta TFTP systemu FortiOS może umożliwić uwierzytelnionej osobie atakującej wykonanie lokalnie dowolnego kodu za pomocą specjalnie spreparowanych argumentów wiersza poleceń.
- CVE-2021-44168- Pobranie kodu bez sprawdzenia integralności w zabezpieczeniach [CWE-494] w poleceniu „execute restore src-vis” systemu FortiOS może umożliwić uwierzytelnionej lokalnie osobie atakującej pobranie dowolnych plików na urządzenie za pomocą specjalnie spreparowanych pakietów aktualizacji.
W wersji 7.0.3 zwiększa się także możliwość integracji z pozostałymi produktami Fortinet poprzez moduł Security Fabric. Po więcej informacji zachęcamy do przeczytania dalszej części artykułu.
Integralność Security Fabric dla FortiOS 7.0.3:
| FortiAnalyzer |
|
| FortiManager |
|
| FortiClient* Microsoft Windows |
|
| FortiClient* Mac OS X |
|
| FortiClient* Linux |
|
| FortiClient* iOS |
|
| FortiClient* Android |
|
| FortiClient* EMS |
|
| FortiAP
FortiAP-S FortiAP-U FortiAP-W2 |
|
| FortiSwitch OS (FortiLink support) |
|
| FortiSandbox |
|
* If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 6.0 and later are supported.
When upgrading your Security Fabric, devices that manage other devices should be upgraded first. Upgrade the firmware of each device in the following order. This maintains network connectivity without the need to use manual steps.
- FortiAnalyzer
- FortiManager
- FortiGate devices
- Managed FortiSwitch devices
- Managed FortiAP devices
- FortiClient EMS
- FortiClient
- FortiSandbox
- FortiMail
- FortiWeb
- FortiADC
- FortiDDOS
- FortiWLC
- FortiNAC
- FortiVoice
- FortiDeceptor
- FortiAI
- FortiTester
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 752134 | FortiOS 7.0.3 is no longer vulnerable to the following CVE Reference:
|
| 752450 | FortiOS 7.0.3 is no longer vulnerable to the following CVE Reference:
|
Znane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 723686 | The partial fetch handling in the IMAP proxy only detects and scans the first fetched section, which allows threats in subsequent fetched sections to go through the firewall undetected. |
Application Control
| Bug ID | Description |
|---|---|
| 752569 | Per IP shaper under application list does not work as expected for some applications. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 708545 | The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control. |
| 730767 | The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.
Workaround: delete the EMS Cloud entry then add it back. |
| 744613 | EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 664380 | When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error. |
Firewall
| Bug ID | Description |
|---|---|
| 739949 | In HA vcluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics. |
| 746891 | Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization. |
GUI
| Bug ID | Description |
|---|---|
| 440197 | On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
| 677806 | IPsec tunnel interfaces not created under the management VDOM may be displayed in the global view with a different tunnel state than what is displayed in the VDOM view. |
| 685431 | On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.
Workaround: use the CLI to configure policies. |
| 707589 | System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed. |
| 708005 | When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.
Workaround: use Chrome, Edge, or Safari as the browser. |
| 713529 | When FortiAnalyzer is configured, the HTTPS daemon may crash while processing some FortiAnalyzer log requests. There is no apparent impact on the GUI operation. |
| 714455 | CLI shows EMS tag object in the address select list, but it is not available in the GUI omni select list. |
| 730466 | The search does not work on the Policy & Objects > Addresses page if there is a non-EMS address group with an EMS tag (invalid configuration). |
| 730533 | Improve GUI error message for SSL VPN policy with VIPs or virtual servers that have web mode is enabled. |
| 735248 | On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.
Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis. |
| 738027 | The Device Inventory widget shows no results when there are two user_info parameters.
Workaround: use the CLI to retrieve the device list. |
| 742626 | The VDOM dropdown list in the banner should be scrollable. |
| 746239 | Unable to create new VIP when there is another VIP with same external IP and mapped IP ranges and different services. |
| 746953 | On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.
Workaround: use the CLI. |
| 748010 | When creating or editing a ZTNA rule from the GUI, users cannot select the any option interface for Incoming Interface. Users can still configure this option in the CLI. |
| 748530 | A gateway of 0.0.0.0 is not accepted in a policy route. |
| 749451 | On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1. |
| 750490 | Firewall policy changes made in the GUI remove the replacement message group in that policy. |
| 755177 | When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path. |
HA
| Bug ID | Description |
|---|---|
| 662978 | Long lasting sessions are expired on HA secondary device with a 10G interface. |
| 701367 | In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters. |
| 729719 | When enabling ha-direct, some invalid configurations should be reset and hidden. |
| 730770 | After a hasync crash, the FGFM process stops sending keepalives. |
| 732201 | VDOM restore on an already configured VDOM causes high CPU sometimes on the primary. |
| 738934 | No GARP is being sent out on the VWP interface upon HA failover, causing a long failover time. |
| 740933 | HA goes out of synchronization when uploading a local certificate. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 699973 | IPsec aggregate shows down status on Interfaces, Firewall Policy, and Static Routes configuration pages. |
| 715671 | Traffic is failing on dialup VPN IKEv2 with EAP authentication. |
| 740475 | Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E. |
| 740624 | FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.
Workaround: configure the config vpn ipsec phase2-interface
edit <name>
set src-subnet <x.x.x.x/x>
next
end
|
Log & Report
| Bug ID | Description |
|---|---|
| 747854 | PDF report generation fails due to an HPDF API error when it is drawing a circle and there is only one entry in the SQL result. |
Proxy
| Bug ID | Description |
|---|---|
| 712584 | WAD memory leak causes device to go into conserve mode. |
| 735893 | After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected. |
| 758122 | WAD memory usage may spike and cause the FortiGate to enter conserve mode. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 748389 | Security Fabric automation email action trigger shows multiple emails as one email with no separation between the addresses. |
| 753056 | Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes. |
| 753358 | Unable to trigger automation trigger with FortiDeceptor Fabric event. |
| 755187 | The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action. |
SSL VPN
| Bug ID | Description |
|---|---|
| 737894 | If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy. |
| 753515 | DTLS does not work for SSL VPN and switches to TLS. |
Switch Controller
| Bug ID | Description |
|---|---|
| 740661 | FortiGate loses FortiSwitch management access due to excessive configuration pushes. |
System
| Bug ID | Description |
|---|---|
| 572847 | The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series. |
| 596942 | SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands. |
| 639861 | Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E. |
| 644782 | A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode. |
| 675558 | SFP port with 1G copper SFP always is up. |
| 679035 | NP6 drops, and bandwidth limited to under 10 Gbps. |
| 681322 | TCP 8008 permitted by authd, even though the service in the policy does not include that port. |
| 683299 | Port group members have different speeds after the port speed is changed using a CLI script. |
| 685674 | FortiGate did not restart after restoring backup configuration. |
| 699152 | QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E. |
| 716341 | SFP28 port flapping when the speed is set to 10G. |
| 741359 | As per IEEE 802.3, NP frames under 64 octets should be discarded on the RX. |
User & Authentication
| Bug ID | Description |
|---|---|
| 750551 | DST_Root_CA_X3 certificate is expired.
Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information. |
| 756763 | In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement. |
| 757883 | FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid. |
VM
| Bug ID | Description |
|---|---|
| 689047 | ARM64-KVM has kernel panic. |
| 691337 | When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost. |
WAN Optimization
| Bug ID | Description |
|---|---|
| 728861 | HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.
Workaround: set |
| 754378 | When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 578440 | Wireless controller sends ARP request packets that are destined to the FortiGate back to all tunnel interfaces. |
| 600257 | FG-1000D and FG-1500D go in to conserve mode when wpad and cw_acd have a memory spike, which affects wireless user tunnel traffic. |
| 675164 | FWF-60F local radio shows WPA3 is not supported. |
| 726266 | GUI becomes unresponsive on FWF-60E with a wrong WTP entry. |
| 727301 | Unable to quarantine hosts behind FortiAP and FortiSwitch. |
| 748479 | cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin. |
| 750425 | In RADIUS MAC authentication, FortiGate NAS IP address will revert to 0.0.0.0 after using the FortiGate address. |
| 751509 | On FAP-U432F, the Radio 3 spectrum analysis should be disabled in the FortiGate GUI. |
Notatki producenta: FortiOS 7.0.3
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
