FortiOS 6.0.16 – B&B Bezpieczeństwo w biznesie

Fortinet udostępnił aktualizację dla produktu FortiOS z rodziny 6.0! Najnowsza wersja 6.0.16 jest przede wszystkim wolna od podatności CVE-2022-42475 – FG-IR-22-398. Ponadto, naprawiono błąd który powodował awarię procesu sslvpn w momencie odebrania żądania POST o treści większej niż 2GB. Jeśli korzystasz z rodziny oprogramowania 6.0, koniecznie zaktualizuj swoje urządzenie!

Aktualnie wspierane modele:

FortiGate	FG-30D, FG-30D-POE, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG‑51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG‑60E‑POE, FG-61E, FG-70D, FG-70D-POE, FG‑80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE, FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG‑300D, FG-300E, FG-301E, FG‑400D, FG-400E, FG-401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG‑800D, FG-900D, FG-1000D, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3400E, FG-3401E, FG3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG‑3960E, FG‑3980E, FG‑5001D, FG-5001E, FG-5001E1
FortiWiFi	FWF-30D, FWF-30D-POE, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF‑51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-61E, FWF‑90D, FWF-90D-POE, FWF-92D
FortiGate Rugged	FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG‑VM64‑AWSONDEMAND, FG-VM64-HV, FG‑VM64-KVM, FG-VMX, FG-VM64-XEN, FG‑VM64‑GCP, FG-VM64-OPC, FG‑VM64-GCPONDEMAND
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier	FortiOS Carrier 6.0.16 images are delivered upon request and are not available on the customer support firmware download page.

Rozwiązane problemy:

SSL VPN

Bug ID	Description
848437	The sslvpn process crashes if a POST request with a body greater than 2 GB is received.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
853448	FortiOS 6.0.16 is no longer vulnerable to the following CVE Reference: CVE-2022-42475

Bug ID

CVE references

853448

FortiOS 6.0.16 is no longer vulnerable to the following CVE Reference:

CVE-2022-42475

Znane problemy:

Antivirus

Bug ID	Description
590092	Cannot clear `scanunit vdom-stats` to reset the statistics on ATP widget.

Firewall

Bug ID	Description
508015	Editing a policy in the GUI changes the FSSO setting to disable.

GUI

Bug ID	Description
682440	On Firewall Policy list, the tooltip for IP Pool shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.
697290	In Firefox, the GUI cannot load the IPS signature list page if the user clicks View IPS Signatures before the IPS profile page finishes loading. Other browsers do not have this issue.

Log & Report

Bug ID	Description
592766	Log device defaults to empty and cannot be switched on in the GUI after enabling FortiAnalyzer Cloud.

Proxy

Bug ID	Description
584719	WAD reads `ftp over-limit multi-line` response incorrectly.

System

Bug ID	Description
550701	WAD daemon signal 11 causes a cmdbsvr deadlock.
607565	Interface `emac-vlan` feature does not work on SoC4 platform.
657629	ARM-based platforms do not have sensor readings included in SNMP MIBs.
735306	Enabling `ssl-mirror-intf` on a management port in a firewall policy with flow mode IPS or application control profiles will cause all traffic to be blocked and the FortiGate to go into kernel panic and automatically reboot. Workaround: do not use a management port as an SSL mirror interface.

User & Device

Bug ID Description

567831 Local FSSO poller is regularly missing logon events.

701356

Bug ID	Description
567831	Local FSSO poller is regularly missing logon events.
701356	When a GUI administrator certificate, `admin-server-cert`, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue. Workaround: manually unset `admin-server-cert` and set it back to the same certificate. config system global unset admin-server-cert end config system global set admin-server-cert <scep_certificate> end

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end

config system global
    set admin-server-cert <scep_certificate>
end

Notatki producenta: FortiOS 6.0.16

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 198

CVE-2022-42475 FortiOS fortios 6.0.16