Fortinet opublikował aktualizację dla produktu FortiAuthenticator o numerze wersji 6.2.2. Nowa wersja oprogramowania ze względów bezpieczeństwa przynosi aktualizację komponentów – OpenLDAP, libxml2 oraz OpenSSL, co sprawia że sam FortiAuthenticator w tej wersji jest wolny od podatności CVE-2022-0778.
|User logon is not working with FSSOMA mobility agent.
|FortiAuthenticator-VM on same Hyper-V host cannot form HA A/A cluster after July 2022 Windows Updates.
|Upgrade OpenSSL from 1.1.1n to 1.1.1s, then again to 1.1.1t.
|Allowed hosts configuration through CLI not reflected in the GUI before reboot.
|Setting timezone and DNS does not clear the GUI settings cache.
|OpenSSL 1.1.1n – Infinite loop in
BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778).
|[3rd party component upgrade required for security reasons] FortiAuthenticator– OpenLDAP to 2.6.2.
|[3rd party component upgrade required for security reasons] FortiAuthenticator– libxml2 to 2.9.14.
|SAML peer certificate expiration issue and XML security issue.
FortiAuthenticator is no longer vulnerable to the following CVE-Reference(s):
|GUI – Hide SNMP trap option for PSU monitoring for unsupported devices.
|CLI only supports configuring interfaces port1 to port4.
|Wrong group attributes indicator in RADIUS policy response table for EAP-TLS.
|Add default usage profiles.
|No Kerberos ticket requests (negotiate) on encrypted HTTPS traffic from FortiAuthenticator.
|Sponsor/Admin can place created Guest users into any group.
|FortiAuthenticator dropping FSSO login events from DC Agent on failed DNS resolution.
|Fine-grained menu content has misaligned pointer in SSO/General.
|FortiAuthenticator FSSO – TS Agent sessions stuck at zero after server reboot until FSSOTA service is restarted.
|Admin cannot log in to approve the self-registration when group filters are set without admin user in Guest Portal policy.
|When LDAP user password expired, user is not prompted for RSA token code (chained token authentication).
|SCEP request by
certmonger cannot be recognized by automatic enrollment request.
|Smart Connect WPA2-Personal profile fails when WPA2-Enterprise settings are left in place.
|An expired certificate is delivered toward WiFi authenticated users.
|Smart Connect missing the ability to forget an SSID.
|Should be able to resize the users page column width manually by using mouse.
|Remote SAML user import from Azure AD fails authorization issue.
|Unable to add multiple alternate DNS names into certificate for user certificates.
|Allow bulk unlock for FTM tokens.
|Remote SAML user import from Azure AD issues.
|FortiAuthenticator rejects certificate signing requests from FortiGate client with invalid password error.
|SSL connection failed in case of certificate expired error message is not explicit.
|No FTM push notification with Windows agent 3.0.
|FortiGate filtering stops any users sent to FortiGate even though users are member of group/container.
|FortiAuthenticator Windows Agent prompts for token despite incorrect password, and then does not prompt for user credentials again.
|SAML authentication fails when AD display name contains a coma (,) and user has admin role.
|FortiAuthenticator does not check if signature of CSR is valid.
|Unable to install FAC-VM-HV 6.2.0 on server 2012 R2.
|Domain controller query status shows failed with successful queries.
TIME USAGE=Time used is not triggering COA or disconnect request to FortiGate.
|FSSO FortiGate IP filter ignored when global group prefilter is enabled.
|HTTPS certificate chain is inconsistent/incorrect.
|Nutanix AHV KVM based Hypervisor FortiAuthenticator upgrades from 6.0.4 to 6.1.x fails, and hangs on „Waiting for Database”.
|If local CA is selected for EAP and no EAP server certificate is present on FortiAuthenticator, radiusd keeps crashing after upgrading to 6.2.0.
|Multiple DC’s kerberos traffic after FortiAuthenticator joining the domain with local DC.
|SCEP – Encryption/hash compatibility with clients.
|Recurrent log message: Portal was not found in the session, redirecting back to entry point.
|Allowed hosts configuration through CLI is not reflected in GUI before reboot.
|Remote LDAP admins have no certificate bindings.
|GUI does not show certificate UPN.
|Sponsor accounts can add guest user accounts to non-guest groups.
|„Portal was not found in the session” when registering a guest with non-ASCII characters „Umlauts”.
|After upgrading FortiAuthenticator from 5.4 to 6.x, Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.
|Unable to export third party signed certificate with private key when CSR is generated locally on FortiAuthenticator.
|FortiAuthenticator Windows Agent 3.0 – New RDP connection by the same user is unable to finish due to blank login screen.
|When trying to access to self service portal, error „Please enter correct credentials. Note password is case-sensitive” is randomly displayed.
|RADIUS client service not working after upgrade.
|Subdomain users can authenticate over FortiAuthenticator Agent installed on workstation in main domain without the token code.
|Change password not working with Checkpoint VPN when 2FA is enabled.
|The lockout policy does not apply to username/token submissions to the /auth API endpoint.
|Packet captures on OCI seem to be corrupt.
|SAML SSO/Proxy metadata download fails with „invalid_xml”.
Notatki producenta: FortiAuthenticator 6.2.2
Bezpieczeństwo w biznesie