Can someone clarify something for me?  I've read through all these CVEs and the FG links above.  They all seem to be vulnerabilities in the SSL VPN Web Portal only.  Have I understood that correctly?  If we're only using FortiClient connections, is there any urgency to upgrade?

Stephen Frost wrote:

  If we're only using FortiClient connections, is there any urgency to upgrade?

Unfortunately, based on the sparse details, if you're using Forticlient connections to an SSLVPN, then you are vulnerable. If you are using Forticlient exclusively for ipsec tunnels, then you can use the workaround and disable sslvpn altogether.

The nature of the vulnerabilities appear to be that an unauthenticated user can send http requests that perform unintended/unauthorized actions. If you are using SSLVPN at all, it must respond to http requests by its nature and it won't matter if they are coming from a browser or from a forticlient.

The advisory is very light on details and the CVE entries have not been updated. It's hard to know for sure, so it's best to assume you are susceptible.

Again- the silver lining is that this appears to be relatively obscure and does not appear to completely compromise the system. However the one about changing a user password can likely be combined with some other issue to really cause trouble on the receiving end.

Thanks for the reply.  Yeah, that's what I was hoping to avoid, but I might need to upgrade right away.  Damn.  I'm heading off on leave from next week too, so I don't want to risk introducing any stability issues by doing a major firmware upgrade just before I go.

Hello ,

I am currently at 5.6.8 , I have a valid upgrade path to 5.6.9 but as I currently understand that this version is also vulnerable , I only have the option to upgrade to 6.0.0/6.0.1/6.0.2 and 3 of them with invalid upgrade path

I have no other firmware listed than the 6.0.0-6.0.2

 

 

Should I go to 5.6.9 inorder to be able to upgrade to 6.0.5?

Upgrading to 5.6.9 gave me the option to upgrade to 6.0.3 but still invalid upgrade path.

6.0.4 and 6.0.5 I can't see both of them.

rojekj wrote:

Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:

User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.

 

Once again - our VPN gateway is broken after upgrade.

When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?

Seriously, I don't have words for fortinets' QA. Because it does not exist!

I can confirm this. We have the same problem. Don't  use this version of FortiOS, when you have have rules based on LDAP groups, and where one user is a member of two or more different groups!

Why was this not in the release notes?  Painful.

 

Opening ticket. :\

This seems to be broken is in all versions after 5.6.8, at least I was able to reproduce it on 5.6.9, 6.0.5, and 6.2.0.

 

This is a huge issue, because now we have the choice between being vulnerable to the various CVE's or semi/non-working SSL VPN's.

 

Major annoyance! QA seems to be non-existent these days!

5.6.10 was just released. Can anyone confirm if it resolves the SSL VPN issue? I'm thinking it might be 542706. 

 

Bug ID Description

515370 SSL VPN access denied if address object added after group object in firewall policy

540328 SSL VPN web mode accessing internal server getting ERR_EMPTY_RESPONSE in browsers.

542706 With groups and its users in different SSL VPN policies and accessing resources via web, only user based policies are processed.