with only one weird bugfix in the release notes:
529745 FortiOS 5.4.11
is no longer vulnerable to the following CVEReference: l CVE-2018-1338
https://docs.fortinet.com.../fortios-release-notes
sudo apt-get-rekt
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:
User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.
Once again - our VPN gateway is broken after upgrade.
When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?
Seriously, I don't have words for fortinets' QA. Because it does not exist!
BTW, Upgrade path tool for 5.4.11 is also not updated!! (Firmware was relesed 24h ago - just to be clear how support pages are up to date)
Hi, is now 5.6.9 unsecure too?
Bug FG-IR-19-034 states solution is "Upgrade to FortiOS 6.0.5 or 6.2.0"
https://fortiguard.com/psirt/FG-IR-19-034
Do we need to upgrade to 6.x to have a secure Fortigate?
Thanks
No. This bug is already fixed in 6.0.5 and 6.2.0
BR,
Flavio.
This is what I'm saying: 5.6.9 is no longer a secure version.
We need to upgrade to a 6 version, isn't it?
XavierMP wrote:You're misunderstanding: the SAME bug is fixed inThis is what I'm saying: 5.6.9 is no longer a secure version.
We need to upgrade to a 6 version, isn't it?
5.6.9
6.0.5
6.2.0
You don't need to move up to 6.x
I'm sorry but in the link:
CVE-2019-5586 FortiOS 5.2.0 to 6.0.4
CVE-2019-5588 FortiOS 6.0.0 to 6.0.4
Upgrade to FortiOS 6.0.5 or 6.2.0
It says CVE-2019-5586 affects 5.6.9 and it's solved in 6.0.5 and 6.2.0
Do you have any link that shows this bug resolved in 5.6.9
Thank you very much
I'm sorry Xavier... I thought we were still talking about CVE-2018-1338
Indeed it seems that there's NO SOLUTION for 5.6 branch!
Let me ask my Fortinet SE.
F.
I got notification of this vulnerability over the weekend... No fix on 5.6 is ridiculous! Per Fortinet's own lifecycle policy, 5.6 has until March 2020 for end of normal support and an additional 18 months of security updates after that. I'm opening a support case.
Thankfully there is at least a workaround to disable SSLVPN but that doesn't help on devices that are actually using it. Also the description seems like it's not a critical vulnerability, probably CVSS 5 or 6-ish. If the answer is they're going to fix it in some future 5.6 build, then it might be worth it to wait if jumping to 6.x was not in your plan anytime soon.
CISSP, NSE4
Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:
User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.
Once again - our VPN gateway is broken after upgrade.
When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?
Seriously, I don't have words for fortinets' QA. Because it does not exist!
To all:
https://fortiguard.com/psirt/FG-IR-18-389
So finally CVE-2018-13382 is fixed in 5.4.11, 5.6.9, 6.0.5, 6.2.0 and above
F.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.