This article describes current options for resolving the Terrapin OpenSSH vulnerability for CentOS-based FortiNAC Appliances: CVE-2023-48795 disclosed a vulnerability surrounding SSH channel integrity. This vulnerability is listed as Moderate by RedHat.
Per Fortinet's CentOS Update Policy:
FortiNAC CentOS Updates
FortiNACs utilize the CentOS Linux distribution, CentOS is a Linux distribution that is based on a commercial offering of Linux called Red Hat Enterprise Linux (RHEL). The CentOS organization publishes periodic bug fixes and security updates for the CentOS Distribution. The CentOS organization makes updates available in repositories (web/ftp servers on their site.)
Fortinet relies on CentOS/Red Hat to update and maintain these applications. They are not maintained separately by Fortinet. Fortinet retrieves the updates from the CentOS site periodically, prepares its repository, and validates that the resulting set of packages is complete and compatible with FortiNAC. All available changes from CentOS are incorporated into Fortinet’s repository for a “maintenance update”, released once each quarter.
RedHat has the vulnerable OpenSSH package listed as 'Out of Scope' for RHEL 7, this means they will not provide an update to resolve the vulnerability. This is likely due to RHEL/CentOS 7 approaching the end of life on June 30, 2024.
The recommendation to resolve this vulnerability is to migrate to NacOS as it will receive an updated version of OpenSSH containing a security fix. See the appropriate CentOS to FortiNAC-OS VM Migration documentation for your deployment type listed under Admin Guides:
FortiNAC
RedHat has listed a Mitigation on the CVE listing (https://access.redhat.com/security/cve/cve-2023-48795), that can be used at the user's risk. These changes could affect communication between the FortiNAC and the infrastructure that it manages through SSH.
Additionally, the configuration files that are modified to implement the mitigation, are overwritten during upgrades, so the changes will need to be re-applied. A note should be placed into /bsc/campusMgrUpdates/README so that the mitigation can be re-applied.
|