Fortinet opublikował najnowszą aktualizację dla produktu FortiAuthenticator o numerze wersji 6.5.0. Dzięki aktualizacji producent skorygowała problemy wcześniejszej wersji, główne zmiany dotyczą naprawy wysyłania tokenów przy użyciu poczty e-mail. Ponadto, zostały poprawione połączenia przy użyciu protokołu LDAPS do technologii takich jak FortiGate i FortiManager, również naprawiono połączenie do serwera LDAP, gdyż na wcześniejszych wersjach serwer wchodził nieoczekiwanie w tryb offline. Po więcej informacji, zapraszam do dalszej części artykułu.
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 868146 | Emergency Token is not displayed on the GUI when Yubikey is assigned. |
| 838878 | Cisco WLC portal fails (callback to 192.0.2.1). |
| 859062 | Multiple errors show up when upgrading the firmware from v6.4.3 to v6.4.6. |
| 847599 | 802.1x EAP-TLS crashed with error eap_tls: ERROR: Error allocating memory for SSL state. |
| 857630 | FortiGate CRL renewal over SCEP via FortiAuthenticator not working anymore. FortiGate failing with SCEP result=1: response is in wrong format. |
| 796493 | LDAPS connectivity issue between FortiGate/FortiManager and FortiAuthenticator. |
| 676985 | Unable to import all FortiToken hardware tokens from the same purchase order; need to add them all manually. |
| 791347 | Internal server error 500 happens when viewing RADIUS account sessions, probably caused by Called-Station-Id attribute. |
| 880495 | ’Allow OTP for EAP-MSCHAPv2 authentication with FortiClient’ feature does not toggle off on the GUI. |
| 845851 | Push on the FortiAuthenticator portal does not work when the username exceeds 20 characters. |
| 838930 | No more than 20 realms can be added in Realms in Authentication > SAML IdP > General. |
| 851676 | FortiAuthenticator HA A/A Status error – In sync with anomalies. |
| 848324 | Remote LDAP server constantly becomes offline-stale. |
| 820035 | After changing the FortiAuthenticator IP address, unplugging the monitor interface does not trigger the HA failover. |
| 875150 | Group membership is not replicated to the Load Balancer when registering over WiFi portal. |
| 869341 | Unable to change the remote LDAP user password via REST API. |
| 842389 | Captive portal automatic login after successful user verification fails. |
| 859464 | SAML – VPN SSL authentication error: invalid_response. |
| 872981 | Remote LDAP clients unable to verify server certificates signed by LetsEncrypt (potentially other multipath CAs). |
| 880038 | disk_discovery.sh cannot find OSDISK / firmware drive with enlarged partitions |
| 875835 | db_listener failure if the json contains unescaped string. |
| 769183 | FortiAuthenticator VMs need greater resiliency/improved recovery when connectivity lost to remote data drives. |
| 881575 | FortiAuthenticator outbound email should permit partial chain certificate validation. |
| 849750 | No login prompt at HW serial console when the boot is extremely broken. |
| 859878 | [SAML IdP] RelayState not being sent back to the SP for IAM logins. |
| 862716 | OAuth tokens can be verified with invalid client id. |
| 852453 | [3rd party component upgrade required for security reasons]- vmware-tools or open-vm-tools to 12.1.5. |
| 816176 | Renaming a portal back to its original name fails; triggers 500 error on self-service portal user login. |
| 817819 | Unable to expand Rule Sets after collapsing it in GUI. |
| 812651 | Sanitize portal name input. |
| 849083 | FortiAuthenticator search request rejected by 389 Directory Server. |
| 850846 | SFTP server does not work with long passwords. |
| 846150 | Token delivery via email stops working after some days. |
| 795271 | E-mail address does not appear in the logs after social login authentication. |
| 757460 | Enable Django auto-translation for any end-user pages. |
| 750134 | FortiAuthenticator as LDAP server cannot export admin users from the local user base. |
| 815897 | Unable to import LDAP user from the GUI by using IBM Lotus Domino LDAP. |
| 847585 | Under extensive load, FortiAuthenticator runs out of memory and TACACS+ daemon randomly crashes. |
| 866019 | OAuth: Attribute Error- NoneType object has no attribute 'id’. |
| 838918 | dhparam-regen 4096 4096 is not working, DH server params is still equal to 2048 bits. |
| 773083 | Enable/disable FortiToken Cloud push notification button shuts down all authentication methods. |
| 829318 | ’Users and Devices’ permission set does not allow importing remote LDAP users. |
| 826424 | Registering an already existing username on Legacy Self-serve Portal triggers 500 error. |
| 828141 | Cross-site Scripting (XSS) – Reflected on https://x.x.x.x/user/reset-password/done/. |
| 845700 | Chained token authentication fails with self service portal. |
| 804238 | FortiAuthenticator 6.4.1 GA SAML logout fails. |
| 811662 | FortiAuthenticator IdP error 403 when returning to SP after registering on a self-service portal. |
| 809353 | Country code selection for guest portal user registration on iOS selects incorrect country prefix. |
| 787013 | Changing the username attribute will cause the remote sync rule to remove existing remote users and eventually reimport them. |
| 830386 | ’Users Audit Report’ does not update timestamps in 'Last Used’ Column for EAP-TLS authentication used for Wireless. |
| 791127 | Sometimes(randomly) FortiAuthenticator fails to send email notification. |
| 831114 | Ukrainian language pack is added but the legacy self-service portal shows some parts in English and some in Ukrainian. |
| 831700 | RSSO sessions are getting Logged Off/Flushed from FortiAuthenticator. |
| 844295 | Unable to import guest users using CSV format in FortiAuthenticator 6.4.5. |
| 846587 | Check the reason for FortiAuthenticator deleting remote LDAP user. |
| 868672 | FortiAuthenticator is using a vulnerable JQUERY-UI version 1.12.1 in old and new firmware 6.4.6 release. |
| 836086 | Revoked Intermediate CA are shown in the GUI as used per license. |
| 849395 | TACACS+ AVPs order could prevent sending some AVPs even if these are set as mandatory. |
| 799768 | Automatic CRL download error with 2 identical DN. |
| 801009 | Remote SAML user sync rule creates one log entry for every SAML user assigned FortiToken Mobile every time SAML sync occurs. |
| 767745 | SNMP facSysCpuUsage returns wrong type. |
| 767935 | A-P cluster, it forms when configured from the GUI, it does not when configured from CLI without a restart. |
| 827702 | FortiAuthenticator vulnerability assessment- outdated jquery version/missing HTTP headers requested to be fixed. |
| 855080 | Import RADIUS client from CSV file fails when the password has special characters. |
| 856867 | Captive Portal with iPhone CNA fails when users attempt to register. |
| 849700 | FortiAuthenticator does not follow best practices for the certificate SN length. |
| 773020 | Revoking of certificate is not being seen with OCSP until FortiAuthenticator reboots. |
| 825665 | Wrong client IPv4 attribute for Fortinet SSO Methods > SSO > RADIUS Accounting Sources. |
| 817304 | Explicit indication that the remote user sync rules OTP method assignment priorities can be moved up or down. |
| 818288 | FortiAuthenticator should populate user_ip and location fields in requests to FortiToken Cloud userauth endpoint when available. |
| 807702 | Upgrade JQuery. |
| 868253 | Prevent creating realms with remote SAML server of type FSSO. |
| 798722 | FortiAuthenticator should log errors returned from FortiToken Cloud and show error message text returned in the FortiToken Cloud API response in the FortiAuthenticator logs. |
| 826532 | [3rd party component upgrade required for security reasons] – django to 3.2.14. |
| 842930 | [3rd party component upgrade required for security reasons] – OAuthLib to 3.2.1. |
| 803240 | [3rd party component upgrade required for security reasons] – cryptography_project to 3.3.2. |
| 860911 | [3rd party component upgrade required for security reasons] – pillow to 9.3.0. |
| 822712 | [3rd party component upgrade required for security reasons] – http_server up to 2.4.54. |
| 841415 | [3rd party component upgrade required for security reasons] – linux_kernel to 4.9.312/4.14.277/4.19.241/5…. |
| 856564 | [3rd party component upgrade required for security reasons] – curl to 7.86.0. |
| 517799 | Default only self resource reference (CSP) to avoid XSS attacks. |
| 836112 | [3rd party component upgrade required for security reasons] – postgresql to 10.22, 11.17, 12.12, 13.8, 14.5. |
| 639819 | FortiAuthenticator – Crafted username does not trigger login attempt limit. |
| 800738 | [3rd party component upgrade required for security reasons] – tcpdump vulnerabilities – precaution upgrade. |
| 811416 | [3rd party component upgrade required for security reasons] – rsyslog to 8.2204.1. |
| 877962 | [3rd party component upgrade required for security reasons] – freeradius to 3.0.26 [backported fix instead]. |
| 812288 | [3rd party component upgrade required for security reasons] – FreeRADIUS up to 3.2.0. |
| 814071 | [3rd party component upgrade required for security reasons] – openvpn to 2.4.12/2.5.6. |
| 803668 | Glibc to 2.35. |
| 812751 | [3rd party component upgrade required for security reasons] – paramiko to 2.10.1/latest. |
| 847140 | Backend triggered local password change: if the password does not pass the password policy, no logs about it. |
| 881926 | Email verification template is missing from the legacy user registration. |
| 870806 | Improvement in the Scan QR code option. |
| 810344 | 400 error when MAC device limit reached in the FortiAuthenticator admin GUI. |
| 801438 | FortiToken Mobile scan QR code should go away if the token has already been assigned. |
| 847635 | Adding all the hardware FortiTokens from the purchase order does not work properly. |
| 873365 | Disabling the admin user does not disable the API key. |
| 808317 | Instead of only displaying build version and number in upgrade history, show build name as well. |
| 808324 | Record the 'starting’ build number as well in the upgrade history. |
| 769142 | Django upgrade. |
| 870186 | Rename G-Suite to Google Workspace. |
| 851341 | Scopes with no description are not displayed in the OAuth authorization pop-up window. |
| 862920 | Register FIDO key button shows a delete icon when editing a local user. |
| 861776 | Upgrade OpenSSL from 1.1.1n to 1.1.1s, then again to 1.1.1t. |
| 848925 | Failed to add RADSEC server certificate on the RADIUS-EAP configuration page. |
| 581065 | The last used field is empty for a remote SAML user in the downloaded user audit report CSV file. |
| 846492 | When enabling/disabling a remote SAML user via user lookup we should not need admin password recheck. |
| 839513 | FortiAuthenticator as proxy in SAML setup is not sending out the same authentication context received from IdP. |
| 808310 | Password reset crashes after n attempts on security questions. |
| 860292 | Custom RADIUS user attribute is not syncing over in HA LB setup. |
| 660918 | Clicking the Allow remote LDAP groups button in RADIUS or TACACS policy reverts all the selected groups. |
| 653638 | Locked out user account should have status as disabled in the user lookup page. |
| 811255 | Lost my token option displaying string index out of range error. |
| 821316 | Portal should not be showing total MAC devices limit. |
| 793838 | Password not defined after importing users from LDAP as a local user via sync rule. |
| 817915 | Hide RADIUS attribute substring match option for non-string types. |
| 830218 | Wrong Azure client id/key shows internal server error in the debug logs. |
| 847666 | Enabling zero trust tunnel without selecting any tunnel from the dropdown can be saved without error messages. |
| 796156 | SNMP table thresholds should not be able to exceed 100 percent. |
| 844546 | LDAP filter Set Group Filter not working properly. |
| 660921 | Guest portal should not work if the URL contains http instead of https. |
| 799641 | FIDO key user should have information in User lookup. |
| 761482 | FIDO2 authentication not compatible with Apple’s WiFi popup. |
| 868738 | Two FortiAuthenticator devices working in the load balance mode stopped listening to port 8001 |
Notatki producenta: FortiAuthenticator 6.5.0
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie