Fortinet opublikował aktualizację dla produktu FortiAuthenticator o numerze wersji 6.3.4. Nowa wersja oprogramowania ze względów bezpieczeństwa przynosi aktualizację komponentów – OpenLDAP, libxml2, OpenSSL, co sprawia że sam FortiAuthenticator w tej wersji jest wolny od podatności CVE-2022-0778.

Rozwiązane problemy:

Bug ID	Description
837219	FortiAuthenticator-VM on same Hyper-V host cannot form HA A/A cluster after July 2022 Windows Updates.
861776	Upgrade OpenSSL from 1.1.1n to 1.1.1s, then again to 1.1.1t.
774147	FortiAuthenticator – [FG-IR-21-254] `Host` header injection.
831595	CLI – Setting timezone and DNS does not clear GUI settings cache.
791452	OpenSSL 1.1.1n – Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778).
830002	XSS observed in the password reset done page.
800714	[3rd party component upgrade required for security reasons] FortiAuthenticator– OpenLDAP to 2.6.2.
814167	[3rd party component upgrade required for security reasons] FortiAuthenticator– libxml2 to 2.9.14.
805720	[3rd party component upgrade required for security reasons] FortiAuthenticator – linux_kernel to 5.10.111/5.4.189/4.19.238/4….
803891	SAML peer certificate expiration issue and XML security issue.
788824	[3rd party component upgrade required for security reasons] FortiAuthenticator – Dirty Pipe Vulnerability on Linux Kernel.

Common Vulnerabilities and Exposures

FortiAuthenticator is no longer vulnerable to the following CVE-Reference(s):

Bug ID	CVE references
791452	CVE-2022-0778

Znane problemy:

Bug ID	Description
737078	Private IPv6 address added to SSO list instead of the public IPv6 when received from a RADIUS accounting source.
730474	FortiAuthenticator IdP proxy fails to proxy SAML assertions received from remote IdP when a user attribute with the same name exists.
730640	When signing a CSR via SCEP, FortiAuthenticator returns „Unable to sign request, Unable to find a unique name”.
738349	SAML querying LDAP when the user is admin instead of looking user locally on remote LDAP users.
748818	Device Enrollment in SCEP does not work.
744768	FortiAuthenticator is not logging LDAP group membership changes.
754589	Push service does not recognize the realm from FortiAuthenticator agent.
670317	It is not possible to resize/change columns width in a log table.
632248	Unable to provide publisher details or assign code signing certificate to a Smart Connect profile.
737727	Change in the password complexity rule is not taking effect.
744916	Sort by name in the sponsor list of the self-registration guest portal.
729674	FortiToken Mobile license status on LB nodes shows unknown.
735782	Alcatel RADIUS VSA dictionary needs to be updated.
721189	No update on the number of sent message on the dashboard.
731626	Limit of 64 characters in SAN DNS field for CSR/certificate creation.
754239	LB secondary not syncing when we failover to secondary FortiAuthenticator.
747259	FSAE is using high CPU.
756786	Guest portal authentication request failed with Cisco WLC.
586851	HTTP of FortiAuthenticator cannot be closed.
712251	Column resize or sort does not work properly in FortiAuthenticator tables.
712899	SMTP error messages does not provide accurate information.
731175	Provide skeleton language pack.
711721	Groups sorting differences when importing LDAP groups in SSO groups and FortiGate filtering.
723065	HA connection status is still showing connected even when the primary FortiAuthenticator is already shutdown.
603510	Memory usage is high.
685295	Implement correct handling of VM license in case of configuration conversion.
701758	Problem setting static IP address on a FortiAuthenticator VM installed on a XenServer.
709007	Error when Importing remote LDAP user.
704565	FortiAuthenticator only applies one captive portal policy, ignores RADIUS client IP/AP IP in portal policy selection.
714927	Unable to expand FortiAuthenticator „data drive” beyond 2 TB.
717175	Local users export/import feature does not work if bcrypt hash is used.
592837	Sponsor accounts can add guest user accounts to non-guest groups.
692839	Local cert for GUI rejected despite SAN field.
632629	Smart Connect WPA2-Personal profile fails when WPA2-Enterprise settings are left in place.
622426	MAC address parameter in portal policy should only allow MAC addresses.
697447	Octet/ASCII conversion for all RADIUS attribute-value pair inputs.
693151	Allow deletion of expired user and local service certificates.
725339	Update to 6.3.1 produces 503 server error for GUI under heavy SCEP traffic.
729018	Concatenated style OTP not working with Windows-AD auth enabled.
733115	Authentication using OTP instead FIDO before FIDO token register does not work.
733985	Built-in big switch network RADIUS attributes cause failure to send ACCESS-ACCEPT.
665384	HA failover doesnot work reliably after maintenance mode is disabled on a high priority node.
706701	FortiAuthenticator cluster is inconsistently accessible via HA interfaces from outside the HA subnet.
767387	Unable to issue new certificates through SCEP with large number of revoked certs.
746567	Importing local users from CSV – FortiAuthenticator LB shows „In Sync with Anomalies”.
765446	500 Internal server error when adding admin profiles or user groups.
766379	Pending or deleted CSR and revoked certificates do not sync to LB secondary.
763568	The timestamp of the account status for lockout is Greenwich Mean Time 00:00 regardless of system time.
745497	Kerberos not working for AES.
758008	FortiAuthenticator joining domain and using the incorrect domain name (DNS) if the name is the same in several LDAP servers.
756782	FortiAuthenticator GUI cannot show how many users on each group.

Notatki producenta: FortiAuthenticator 6.3.4

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiAuthenticator Fortinet