Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hosemacht
Contributor II

FortiOS 5.6.9 is out

with only one weird bugfix in the release notes:

 

529745 FortiOS 5.4.11

is no longer vulnerable to the following CVEReference: l CVE-2018-1338

 

https://docs.fortinet.com.../fortios-release-notes

sudo apt-get-rekt

sudo apt-get-rekt
1 Solution
rojekj
New Contributor III

Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:

User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.

 

Once again - our VPN gateway is broken after upgrade.

When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?

Seriously, I don't have words for fortinets' QA. Because it does not exist!

View solution in original post

29 REPLIES 29
ddskier
Contributor

I don't get this release.  Only bug fix is:

 

529745 FortiOS 5.4.11 is no longer vulnerable to the following CVE Reference:  CVE-2018-13382

 

Not sure how a 5.4.11 fix applies going from 5.6.8 to 5.6.9.

 

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
dedmonds_FTNT

The 5.4.11 reference is a typo.  It should read 5.6.9.  You have an outdated copy of the release notes.  Download the document again.

FlavioB

OK but anyway: where to find exact description/information about that CVE? I'm not finding any...

F.

Hosemacht
Contributor II

indeed there is no CVE Record for: CVE-2018-1338

maybe another typo?

sudo apt-get-rekt

sudo apt-get-rekt
FlavioB
New Contributor III

the_giraffe_that_wasnt_president wrote:

indeed there is no CVE Record for: CVE-2018-1338

maybe another typo?

No typo.

It's simply been reported as "responsible disclosure".

 

ddskier

I applied this update on numerous 100D and 200D.  No issues.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
FlavioB
New Contributor III

ddskier wrote:

I applied this update on numerous 100D and 200D.  No issues.

Of course no issues - it's a fix for one CVE (if you want to know about the details, ask your Fortinet representative).

F.

wolfschen

Hello,

I am also interesting for Upgrade details and Release notes are for me primary source of knowledge about upgrade. When you look on any firmware upgrade cookbook released by Fortinet there is: make a backup and read the release notes. That why last time I am really dissapointed about 'quality' of release notes. On firmware 5.6.9 release notes was typo with 5.4.11 firmware version and NO informations about what is CVE-2018-13382.....

Yesterday was 5.4.11 release with this same CVE-2018-13382..... and guess what? still no info about that CVE. I checked on the mitre.org and just info about reservation.... So i decided to chat with technican from Fortinet. I wasted 20 minutes on queue and I received following information:

########

The vulnerability is about: SSL VPN user password modified. Currently, the CVE is reserved but not published. You should be able to find additional information with that on our PSIRT page [link]https://fortiguard.com/psirt[/link] once the information has been published. ########

I checked also PSIRT (https://fortiguard.com/psirt) and guess what? no info!

then technican said: it is not been updated yet!

So feel free to add more infos about that when you find out more details :)

 

Cheers!

 

FlavioB
New Contributor III

Hi.

You got exactly the same information as I did - but I had only to write an email to my local Fortinet SE this time :)

Just wait and see...

F.

Labels
Top Kudoed Authors