with only one weird bugfix in the release notes:
529745 FortiOS 5.4.11
is no longer vulnerable to the following CVEReference: l CVE-2018-1338
https://docs.fortinet.com.../fortios-release-notes
sudo apt-get-rekt
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:
User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.
Once again - our VPN gateway is broken after upgrade.
When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?
Seriously, I don't have words for fortinets' QA. Because it does not exist!
Can someone clarify something for me? I've read through all these CVEs and the FG links above. They all seem to be vulnerabilities in the SSL VPN Web Portal only. Have I understood that correctly? If we're only using FortiClient connections, is there any urgency to upgrade?
Stephen Frost wrote:Unfortunately, based on the sparse details, if you're using Forticlient connections to an SSLVPN, then you are vulnerable. If you are using Forticlient exclusively for ipsec tunnels, then you can use the workaround and disable sslvpn altogether.If we're only using FortiClient connections, is there any urgency to upgrade?
The nature of the vulnerabilities appear to be that an unauthenticated user can send http requests that perform unintended/unauthorized actions. If you are using SSLVPN at all, it must respond to http requests by its nature and it won't matter if they are coming from a browser or from a forticlient.
The advisory is very light on details and the CVE entries have not been updated. It's hard to know for sure, so it's best to assume you are susceptible.
Again- the silver lining is that this appears to be relatively obscure and does not appear to completely compromise the system. However the one about changing a user password can likely be combined with some other issue to really cause trouble on the receiving end.
CISSP, NSE4
Thanks for the reply. Yeah, that's what I was hoping to avoid, but I might need to upgrade right away. Damn. I'm heading off on leave from next week too, so I don't want to risk introducing any stability issues by doing a major firmware upgrade just before I go.
Hello ,
I am currently at 5.6.8 , I have a valid upgrade path to 5.6.9 but as I currently understand that this version is also vulnerable , I only have the option to upgrade to 6.0.0/6.0.1/6.0.2 and 3 of them with invalid upgrade path
I have no other firmware listed than the 6.0.0-6.0.2
Should I go to 5.6.9 inorder to be able to upgrade to 6.0.5?
Upgrading to 5.6.9 gave me the option to upgrade to 6.0.3 but still invalid upgrade path.
6.0.4 and 6.0.5 I can't see both of them.
rojekj wrote:Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:
User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.
Once again - our VPN gateway is broken after upgrade.
When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?
Seriously, I don't have words for fortinets' QA. Because it does not exist!
I can confirm this. We have the same problem. Don't use this version of FortiOS, when you have have rules based on LDAP groups, and where one user is a member of two or more different groups!
Why was this not in the release notes? Painful.
Opening ticket. :\
This seems to be broken is in all versions after 5.6.8, at least I was able to reproduce it on 5.6.9, 6.0.5, and 6.2.0.
This is a huge issue, because now we have the choice between being vulnerable to the various CVE's or semi/non-working SSL VPN's.
Major annoyance! QA seems to be non-existent these days!
5.6.10 was just released. Can anyone confirm if it resolves the SSL VPN issue? I'm thinking it might be 542706.
Bug ID Description
515370 SSL VPN access denied if address object added after group object in firewall policy
540328 SSL VPN web mode accessing internal server getting ERR_EMPTY_RESPONSE in browsers.
542706 With groups and its users in different SSL VPN policies and accessing resources via web, only user based policies are processed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.