Producent oprogramowania Fortinet opublikował aktualizację dla produktu FortiGate o numerze wersji 7.0.7. Na skutek tego aktualizacja jest pozbawiona podatności o numerze CVE 2022-40684, która pozwalała na wykonywanie operacji osób nieuwierzytelnionych w interfejsie administracyjnym za pośrednictwem specjalnych spreparowanych żądań HTTP lub HTTPS. Po więcej ciekawych informacji zapraszamy do dalszej części posta.

Aktualnie wspierane modele:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate Rugged	FGR-60F, FGR-60F-3G4G
FortiGate VM	FG-ARM64-AWS, FG-ARM64-KVM, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Rozwiązane problemy:

Bug ID	CVE references
846234	FortiOS 7.0.7 is no longer vulnerable to the following CVE Reference: CVE-2022-40684
846854	FortiOS 7.0.7 is no longer vulnerable to the following CVE Reference: CVE-2022-40684

 

Znane problemy:

Anti Virus

Bug ID	Description
727067	FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.
795784	Able to bypass FortiOS AV inspection on email traffic when manipulating a MIME attachment with junk and pad characters in Base64.
800731	Flow AV sends HTML files to the FortiGate Cloud Sandbox every time when HTML is not configured in file list.
805655	A scanunit crash with signal 11 occurs for SMTP and QP encoding.

Endpoint Control

Bug ID	Description
730767	The new HA primary FortiGate cannot get EMS Cloud information when HA switches over. Workaround: delete the EMS Cloud entry then add it back.
775742	Upgrade EMS tags to include classification and severity to guarantee uniqueness.

Firewall

Bug ID	Description
824091	Promethean Screen Share (multicast) is not working on the member interfaces of a software switch.

FortiView

Bug ID	Description
804177	When setting the time period to now filter, the table cannot be filtered by policy type.
811095	Threat type N/A – Static URL Filter is showing on sources that do not have the URL filter enabled.

GUI

Bug ID	Description
440197	On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.
677806	On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.
685431	On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies. Workaround: use the CLI to configure policies.
707589	System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.
708005	When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator. Workaround: use Chrome, Edge, or Safari as the browser.
749843	Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.
755177	When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.
777145	Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch’s operation. Workaround: confirm the FortiSwitch registration status in the FortiCare portal.
798161	System > Certificates page keeps spinning when trying to access it from Safari.
810225	An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.
831885	Unable to access GUI via HA management interface of secondary unit.

HA

Bug ID	Description
750978	Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.
782734	Cluster is out-of-sync due to switch controller managed switch checksum mismatch.
785514	In some situations, the fgfmd daemon is blocked by a query to the HA secondary checksum, which causes the tunnel between the FortiManager and FortiGate to go down.
803354	After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.
810286	FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.
811535	HA failure occurs on pair of FG-2600s due to packet loss on heartbeat interface.
830463	After shutting down the HA primary unit and then restarting it, the uptime for both nodes is zero, and it fails back to the former primary unit.

Hyperscale

Bug ID	Description
804742	After changing hyperscale firewall policies, it may take longer than expected for the policy changes to be applied to traffic. The delay occurs because the hyperscale firewall policy engine enhancements added to FortiOS 7.0.6 may cause the FortiGate to take extra time to compile firewall policy changes and generate a new policy set that can be applied to traffic by NP7 processors. The delay is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions.
805846	In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.
807476	After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.
810025	Using EIF to support hairpinning does not work for NAT64 sessions.
810379	Creating an access control list (ACL) policy on a FortiGate with NP7 processors causes the npd process to crash.
811109	FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.
812833	FortiGate still holds npu-log-server related configuration after removing hyperscale license.
836976	Traffic impact on changing from log to hardware to log to host during runtime (with PPA enabled).
837270	Disabling Block intra-zone traffic in a zone does not allow TCP/UDP traffic between interfaces of a zone.
838654	Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.
839958	service-negate does not work as expected in a hyperscale deny policy.
842008	After HA failover, session count cannot synchronize on secondary FortiGate.
843197	Output of diagnose sys npu-session list/list-full does not mention policy route information.
843266	Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.
843305	Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.
846520	NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover.

IPsec VPN

Bug ID	Description
761754	IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.
790486	Support IPsec FGSP per tunnel failover.
810988	GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).
815253	NP7 offloaded egress ESP traffic that was not sent out of the FortiGate.
815969	Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

Log & Report

Bug ID	Description
790893	Logging filters do not work as expected.
814427	FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade.
821359	FortiGate appears to have a limitation in the syslogd filter configuration.

Proxy

Bug ID	Description
768278	WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.
793651	An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.
809346	FTPS helper is not opening pinholes for expected traffic for non-standard ports.
823247	WAD user_info process leaks memory.

Routing

Bug ID	Description
756955	Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.
795213	On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.
796070	Incorrect SD-WAN kernel routes are used on the secondary device.
796409	GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.
808840	After cloning a static route, the URL gets stuck with "clone=true".

Security Fabric

Bug ID	Description
614691	Slow GUI performance in large Fabric topology with over 50 downstream devices.
794703	Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.
803600	Automation stitch for a scheduled backup is not working.
814796	The threat level threshold in the compromised host trigger does not work.
815984	Azure SDN connector has a 403 error when the AZD restarts.

SSL VPN

Bug ID	Description
626311	SSL VPN users are remaining logged on past the auth-timeout value.
767832	After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.
780765	High CPU usage in SSL VPN using libssh2.
789642	Unable to load Grafana application through SSL VPN web mode.
796768	SSL VPN RDP is unable to connect to load-balanced VMs.
809209	SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.
809473	When sslvpnd debugs are enabled, the SSL VPN process crashes more often.
810715	Web application is not loading in the SSL VPN web mode.
811007	The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.
811492	SSL VPN should not leak information while performing Telnet.
814040	SSL VPN bookmark configuration is added automatically after client logs in to web mode.
814708	The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled.
816716	sslvpnd crashed when deleting a VLAN interface.
816881	TX packet loss on ssl.root interface.
817843	Logging out of SSL VPN tunnel mode does not clear the authenticated list.
819296	GUI should not use <server_ip> as a sender to send the SSL VPN configuration (it should use value set in reply-to).

Switch Controller

Bug ID	Description
794026	FortiGates quarantines are stuck at 256.
803307	The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.
805154	Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.
810550	Send DHCP/ARP packet failed, and get errno = 6 in log when config-sync runs.

System

Bug ID	Description
724085	Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.
751870	User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.
764252	On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.
764954	FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.
787595	FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.
789153	A profile with higher privileges than the user’s own profile can be set.
798091	After upgrading from 6.4.9 to 7.0.5, the FG-110xE’s 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.
798303	The threshold for conserve mode is lowered.
800294	Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.
801053	FG-1800F existing hardware switch configuration fails after upgrading.
807947	Unable to create new interface and VDOM link with names that contain spaces.
813223	Random kernel panic occurs due to calling timer_setup.
815360	NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.
819640	SSH public key changes after every reboot.
824464	CMDB checksum is not updated when a certificate is renewed over CMP, causing a FortiManager failure to synchronize with the certificate.

Upgrade

Bug ID	Description
803041	Link lights on the FG-1100E fail to come up and are inoperative after upgrading.

User & Authentication

Bug ID	Description
813407	Captive portal authentication with RADIUS user group truncates the token code to eight characters.

VM

Bug ID	Description
786278	Bandwidth usage is not shown when DPDK is enabled.
803219	Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed.
809963	Get cmdbsvr crash on FG-KVM32 after running concurrent performance test.

WAN Optimization

Bug ID	Description
728861	HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used. Workaround: set wanopt to automatic mode, or set transparent disable in the wanopt profile.

Web Filter

Bug ID	Description
766126	Block replacement page is not pushed automatically to replace the video content when using a video filter.

WiFi Controller

Bug ID	Description
796036	Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.
807713	FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO.
809623	CAPWAP traffic is dropped when capwap-offloading is enabled.
811953	Configuration installation from FortiManager breaks the quarantine setting, and the VAP becomes undeletable.
821803	Wireless multicast traffic causes the cw_acd process to have high CPU usage and triggers a hostapd crash.

 

Notatki producenta: FortiOS 7.0.7

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

7.0.7 FortiGate FortiGate 7.0.7