Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hosemacht
Contributor II

FortiOS 5.6.9 is out

with only one weird bugfix in the release notes:

 

529745 FortiOS 5.4.11

is no longer vulnerable to the following CVEReference: l CVE-2018-1338

 

https://docs.fortinet.com.../fortios-release-notes

sudo apt-get-rekt

sudo apt-get-rekt
1 Solution
rojekj
New Contributor III

Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:

User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.

 

Once again - our VPN gateway is broken after upgrade.

When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?

Seriously, I don't have words for fortinets' QA. Because it does not exist!

View solution in original post

29 REPLIES 29
XavierMP

It's not the same CVE:

CVE-2018-13382 vs CVE-2019-5586

FG-IR-18-389 vs FG-IR-19-034

Frosty

Can someone clarify something for me?  I've read through all these CVEs and the FG links above.  They all seem to be vulnerabilities in the SSL VPN Web Portal only.  Have I understood that correctly?  If we're only using FortiClient connections, is there any urgency to upgrade?

Kenundrum

Stephen Frost wrote:

  If we're only using FortiClient connections, is there any urgency to upgrade?

Unfortunately, based on the sparse details, if you're using Forticlient connections to an SSLVPN, then you are vulnerable. If you are using Forticlient exclusively for ipsec tunnels, then you can use the workaround and disable sslvpn altogether.

The nature of the vulnerabilities appear to be that an unauthenticated user can send http requests that perform unintended/unauthorized actions. If you are using SSLVPN at all, it must respond to http requests by its nature and it won't matter if they are coming from a browser or from a forticlient.

The advisory is very light on details and the CVE entries have not been updated. It's hard to know for sure, so it's best to assume you are susceptible.

Again- the silver lining is that this appears to be relatively obscure and does not appear to completely compromise the system. However the one about changing a user password can likely be combined with some other issue to really cause trouble on the receiving end.

CISSP, NSE4

 

CISSP, NSE4
Frosty

Thanks for the reply.  Yeah, that's what I was hoping to avoid, but I might need to upgrade right away.  Damn.  I'm heading off on leave from next week too, so I don't want to risk introducing any stability issues by doing a major firmware upgrade just before I go.

Rami
New Contributor

Hello ,

I am currently at 5.6.8 , I have a valid upgrade path to 5.6.9 but as I currently understand that this version is also vulnerable , I only have the option to upgrade to 6.0.0/6.0.1/6.0.2 and 3 of them with invalid upgrade path

I have no other firmware listed than the 6.0.0-6.0.2

 

 

Should I go to 5.6.9 inorder to be able to upgrade to 6.0.5?

Rami
New Contributor

Upgrading to 5.6.9 gave me the option to upgrade to 6.0.3 but still invalid upgrade path.

6.0.4 and 6.0.5 I can't see both of them.

gbagita
New Contributor

rojekj wrote:

Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:

User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.

 

Once again - our VPN gateway is broken after upgrade.

When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?

Seriously, I don't have words for fortinets' QA. Because it does not exist!

I can confirm this. We have the same problem. Don't  use this version of FortiOS, when you have have rules based on LDAP groups, and where one user is a member of two or more different groups!

fgtenterprise

Why was this not in the release notes?  Painful.

 

Opening ticket. :\

lubyou
New Contributor

This seems to be broken is in all versions after 5.6.8, at least I was able to reproduce it on 5.6.9, 6.0.5, and 6.2.0.

 

This is a huge issue, because now we have the choice between being vulnerable to the various CVE's or semi/non-working SSL VPN's.

 

Major annoyance! QA seems to be non-existent these days!

FortiOSman
New Contributor III

5.6.10 was just released. Can anyone confirm if it resolves the SSL VPN issue? I'm thinking it might be 542706. 

 

Bug ID Description

515370 SSL VPN access denied if address object added after group object in firewall policy

540328 SSL VPN web mode accessing internal server getting ERR_EMPTY_RESPONSE in browsers.

542706 With groups and its users in different SSL VPN policies and accessing resources via web, only user based policies are processed.

Labels
Top Kudoed Authors