Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
rmaccalla
Staff
Staff

Created on ‎01-31-2024 09:33 PM Edited on ‎01-31-2024 09:34 PM By Community Manager

Article Id 296993

Technical Tip: Terrapin SSH Prefix Truncation CentOS Mitigation

 

Description

This article describes current options for resolving the Terrapin OpenSSH vulnerability for CentOS-based FortiNAC Appliances:
CVE-2023-48795 disclosed a vulnerability surrounding SSH channel integrity. This vulnerability is listed as Moderate by RedHat.

Per Fortinet's CentOS Update Policy:

FortiNAC CentOS Updates

FortiNACs utilize the CentOS Linux distribution, CentOS is a Linux distribution that is based on a commercial offering of Linux called Red Hat Enterprise Linux (RHEL). The CentOS organization publishes periodic bug fixes and security updates for the CentOS Distribution. The CentOS organization makes updates available in repositories (web/ftp servers on their site.)


Fortinet relies on CentOS/Red Hat to update and maintain these applications. They are not maintained separately by Fortinet. Fortinet retrieves the updates from the CentOS site periodically, prepares its repository, and validates that the resulting set of packages is complete and compatible with FortiNAC. All available changes from CentOS are incorporated into Fortinet’s repository for a “maintenance update”, released once each quarter.


RedHat has the vulnerable OpenSSH package listed as 'Out of Scope' for RHEL 7, this means they will not provide an update to resolve the vulnerability. This is likely due to RHEL/CentOS 7 approaching the end of life on June 30, 2024.


The recommendation to resolve this vulnerability is to migrate to NacOS as it will receive an updated version of OpenSSH containing a security fix. See the appropriate CentOS to FortiNAC-OS VM Migration documentation for your deployment type listed under Admin Guides:

FortiNAC


RedHat has listed a Mitigation on the CVE listing (https://access.redhat.com/security/cve/cve-2023-48795), that can be used at the user's risk. These changes could affect communication between the FortiNAC and the infrastructure that it manages through SSH.

Additionally, the configuration files that are modified to implement the mitigation, are overwritten during upgrades, so the changes will need to be re-applied. A note should be placed into /bsc/campusMgrUpdates/README so that the mitigation can be re-applied.
Scope CentOS-based FortiNAC Appliances
Solution

Contact FortiNAC support for assistance with applying RedHat mitigation.

 

2722
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.