Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hosemacht
Contributor II

FortiOS 5.6.9 is out

with only one weird bugfix in the release notes:

 

529745 FortiOS 5.4.11

is no longer vulnerable to the following CVEReference: l CVE-2018-1338

 

https://docs.fortinet.com.../fortios-release-notes

sudo apt-get-rekt

sudo apt-get-rekt
1 Solution
rojekj
New Contributor III

Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:

User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.

 

Once again - our VPN gateway is broken after upgrade.

When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?

Seriously, I don't have words for fortinets' QA. Because it does not exist!

View solution in original post

29 REPLIES 29
wolfschen

BTW, Upgrade path tool for 5.4.11 is also not updated!! (Firmware was relesed 24h ago - just to be clear how support pages are up to date)

 

XavierMP

Hi, is now 5.6.9 unsecure too?

Bug FG-IR-19-034 states solution is "Upgrade to FortiOS 6.0.5 or 6.2.0"

https://fortiguard.com/psirt/FG-IR-19-034

Do we need to upgrade to 6.x to have a secure Fortigate?

Thanks

FlavioB
New Contributor III

No. This bug is already fixed in 6.0.5 and 6.2.0

BR,

Flavio.

XavierMP

This is what I'm saying: 5.6.9 is no longer a secure version.

We need to upgrade to a 6 version, isn't it?

FlavioB
New Contributor III

XavierMP wrote:

This is what I'm saying: 5.6.9 is no longer a secure version.

We need to upgrade to a 6 version, isn't it?

You're misunderstanding: the SAME bug is fixed in

5.6.9

6.0.5

6.2.0

You don't need to move up to 6.x

XavierMP

I'm sorry but in the link:

Affected Products

CVE-2019-5586 FortiOS 5.2.0 to 6.0.4

CVE-2019-5588 FortiOS 6.0.0 to 6.0.4

Solutions

Upgrade to FortiOS 6.0.5 or 6.2.0

 

It says CVE-2019-5586 affects 5.6.9 and it's solved in 6.0.5 and 6.2.0

Do you have any link that shows this bug  resolved in 5.6.9

Thank you very much

FlavioB
New Contributor III

I'm sorry Xavier... I thought we were still talking about CVE-2018-1338

Indeed it seems that there's NO SOLUTION for 5.6 branch!

Let me ask my Fortinet SE.

F.

Kenundrum

I got notification of this vulnerability over the weekend... No fix on 5.6 is ridiculous! Per Fortinet's own lifecycle policy, 5.6 has until March 2020 for end of normal support and an additional 18 months of security updates after that. I'm opening a support case.

Thankfully there is at least a workaround to disable SSLVPN but that doesn't help on devices that are actually using it. Also the description seems like it's not a critical vulnerability, probably CVSS 5 or 6-ish. If the answer is they're going to fix it in some future 5.6 build, then it might be worth it to wait if jumping to 6.x was not in your plan anytime soon.

CISSP, NSE4

 

CISSP, NSE4
rojekj
New Contributor III

Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:

User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.

 

Once again - our VPN gateway is broken after upgrade.

When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?

Seriously, I don't have words for fortinets' QA. Because it does not exist!

FlavioB
New Contributor III

To all:

https://fortiguard.com/psirt/FG-IR-18-389

So finally CVE-2018-13382 is fixed in 5.4.11, 5.6.9, 6.0.5, 6.2.0 and above

 

F.

Labels
Top Kudoed Authors