Fudo Enterprise 5.4.12

This is a minor Fudo release, introducing a range of improvements and new fixes.

ANNOUNCEMENTS

• Fudo Enterprise 5.4.12 will be the final version to support the Fudo Officer 1.0mobile application. Users who rely on this integration will need to download the upcoming version of Fudo Officer app from their respective app stores. The new version will be available shortly; please stay tuned for its release.

BUG FIXES

• Addressed a critical vulnerability in OpenSSH that could potentially allow unauthorized remote code execution, posing a serious threat to systems (vulnerability identifier: CVE-2024-6387).
• Addressed an issue where an unexpected power supply status was observed after upgrading to versions in the range of 5.4.7.
• Resolved an issue preventing the establishment of an RDP/RDS connection via the native client using a connection file from User Access Gateway.
• Fixed a bug causing the native client with OTP and RDS redirection to request the server password.
• Resolved an issue with the improper username value in the log when establishing an RDS connection using the native client option.
• Re-fix: Resolved an issue where adding another LDAP synchronization configuration caused the deletion of previously synchronized users. This issue was addressed in a previous release but was not fully resolved and has now been corrected.
• Resolved an issue with LDAP synchronization falling into a loop after manual deleting and re-adding external authentication for synchronized user with OATH set as a second factor.

DOWNLOAD

Download Fudo Enterprise 5.4.12

Download PDF version of this Release Note along with the "Before You Upgrade" manual.

Fudo Enterprise 5.4.11

This is a minor Fudo release, introducing a range of improvements and new fixes.

HOTFIX REQUIRED FOR THIS VERSION

• Please install 'Hotfix for Remote Unauthenticated Code Execution Vulnerability in OpenSSH server - CVE-2024-6387' along with this version of Fudo Enterprise - Download from the SOFTWARE & DOCUMENTATION > Software Hotfix

ANNOUNCEMENTS

• Fudo Enterprise 5.4.11 is the last version supporting the 4-Eyesauthentication for sessions approval in the Sessions tab (the 'Require approval' option). Starting with the next version, it will be replaced by Just In Time Simultaneously, the Fudo Officer mobile application will be deprecated. Users utilizing this integration will need to migrate to the new Fudo Officer version that uses the Just In Time feature.
  
  

IMPROVEMENTS

• Simplified workflow for RDP connections when using MSTSC and the RDP configuration file generated in the Access Gateway.
• Users now receive information about the reason for the rejected Access Request in mail notifications.

BUG FIXES

• Fixed an issue preventing the saving of a Telnet server configuration when 'TLS enabled' is unselected.
• Fixed a possible authentication bypass in 'mobiletoken' method. The following conditions have to be met:
  
  • The user has a 'mobiletoken' authentication method attached (this is automatically attached when the user scans a QR code from the Fudo Officer mobile application).
  • The user has to successfully authenticate at least once using the 'mobiletoken' method. This occurs when the user logs in through the Fudo Officer app.
• Fixed an issue that prevented objects beyond the first 1000 from being searchable through the GUI, ensuring all objects are now accessible regardless of their position in the list.
• Resolved a memory limit issue in Fudo Player that occurred while listing a large number of files in a directory during an SFTP session.
• Fixed an issue with the inactive 'Back' button in the Access Gateway's Web Client connection option modal window.
• Fixed an issue with a disruptive log about incorrect content in 'ssh_config' component.
• Fixed an issue with Okta OpenID Connect authentication where the 'email_verified' field could not be located.
• Fixed an issue preventing the deletion of replicated or backed-up session data if it originates from another node or backup.
• Fixed an issue causing double OTP prompts for redirected RDP connections in RDS, impacting Users configured with the OATH authentication method.
• Fixed an issue causing sessions to close due to clipboard handling when using an RDP client.
• Addressed an issue causing password changers to malfunction when using the SSH Key authentication method with 'Legacy crypto' enabled in the Server configuration.
• Resolved an issue related to session data replication between nodes that caused variations in session data size.
• Resolved an issue where adding another LDAP synchronization configuration caused the deletion of previously synchronized users.
• Resolved an issue with LDAP synchronization falling into a loop after manual deleting and re-adding external authentication method for synchronized User.

DOWNLOAD

Download Fudo Enterprise 5.4.11

Download PDF version of this Release Note along with the "Before You Upgrade" manual.

Fudo Enterprise 5.4.8

This is a minor Fudo release, introducing a range of improvements and new fixes.

HOTFIX REQIRED FOR THIS VERSION

• Please install 'Hotfix for Remote Unauthenticated Code Execution Vulnerability in OpenSSH server - CVE-2024-6387' along with this version of Fudo Enterprise - Download from the SOFTWARE & DOCUMENTATION > Software Hotfix

IMPROVEMENTS

• Upgraded OpenSSHto version 9.6, enhancing security and performance with the following changes:
  • Introduced support for additional key algorithms.
  • Moved ssh-rsaand ssh-rsa-cert-v01@openssh.com to the Legacy crypto mode.
• Reintroduced support for the <username>#<server-address> login string in the bastion mode for streamlined access.
• Improved session cleanup efficiency by deleting associated records instead of marking them as removed, conserving disk space and preventing unnecessary data redistribution.
• Updated TZdatafiles to reflect Kazakhstan's administrative time zone change from UTC+6 to UTC+5.
• Enhanced the SNMP daemon configuration to support the use of specific routing tables.

BUG FIXES

• Addressed an issue causing RDS connections to terminate shortly after receiving the redirection packet.
• Corrected misleading "Incorrect username or password"messages displayed during login attempts through a proxy listener with valid domain credentials.
• Addressed an issue causing SSH key updates to fail during LDAP synchronization.
• Resolved an issue where SSH connections could not be established due to the ssh-rsakey type not being listed in PubkeyAcceptedAlgorithms.
• Resolved an issue with the password changers service worker by restoring its default settings to align with previous versions.
• Identified and addressed an issue preventing AI model training when session event file sizes exceed a certain threshold.
• Resolved an issue leading to unnecessary multiple requests for the second authentication factor, ensuring authentication ceases after the first incorrect attempt.
• Corrected an issue related to improper SSO verification, which led to unwanted credential prompts in browsers.
• Updated the certificate fetching process to respect server settings, allowing it only under TLS and NLA conditions active.
• Addressed a display issue in Fudo player that resulted in only half of the recording being displayed for HTTP sessions.
• Corrected the mislabeled account validity date field in the Users tab.

DOWNLOAD

Download Fudo Enterprise 5.4.8

Download PDF version of this Release Note along with the "Before You Upgrade" manual.

Fudo Enterprise 5.4.7

This is a minor Fudo release, introducing a range of improvements and new fixes.

IMPROVEMENTS

• Patched the FreeBSD operating system kernel to ensure Fudo Enterprise’s compatibility with Alibaba Cloud.
• Implemented a workaround for the vulnerability CVE-2023-48795 in OpenSSH.

DOWNLOAD

Download Fudo Enterprise 5.4.7

Download PDF version of this Release Note along with the "Before You Upgrade" manual.

Fudo Enterprise 5.4.6

This is a minor Fudo release, introducing a range of improvements and new fixes.

IMPROVEMENTS

• Enhanced compatibility with non-Windows RDP clients by revising and improving the RDP file generated in the Access Gateway.
• Optimized a previously inefficient SQL query used in reports generation that was causing high CPU usage and disk bandwidth consumption, especially noticeable with numerous Pools
• Optimized OCR processing to enhance efficiency and reduce completion time.
• Discontinued the use of email addresses for authentication in OpenID Connect, enhancing security and compliance practices.
• Enhanced OpenID Connect algorithm for user identity determination. Now prioritizes data in the order of upn, unique_name, with changes in verification: requires 'email_verified'to be true when 'username_mapping' or 'email_mapping' is set to 'email'.
• Adjusted logging behavior: TCP session establishment messages are now logged only after the first data packet is received, reducing excessive logs.
• API: Set a limit for returned records - 1000 records by default when unspecified, with a 'Bad Request'response for requests exceeding this value.
• The enhanced Nodedashlet has been updated to display the roles for all redundancy groups.
• The Open VM Tools included with Fudo Enterprise have been upgraded to the latest version.

BUG FIXES

• Addressed a server certificate retrieval issue associated with the /fetch_key
• Fixed an issue with SNMP notifications lacking matched pattern information.
• Fixed an issue with fudoocrdutilizing all available CPU cores per process; thread limit now established for fudoocrd.
• Resolved issue with case sensitivity option malfunction in the listener affecting SSH key authentication.
• Addressed a problem that allowed the removal of all Serversfrom a Pool linked to an Account without restrictions.
• Resolved an issue with RDS connections causing double appending of domain names to user logins.
• Resolved an issue affecting the distribution of daily reports.
• Fixed an issue that prevented the removal of login and secret details from the existing external authentication configuration for Active Directory.
• Updated GUI: 'Secret'and 'Repeat secret' in Active Directory authentication configuration no longer incorrectly marked as mandatory.
• Streamlined logging to capture connection events only upon the arrival of the first data packet, reducing unnecessary informational entries resulting from port scanning.

DOWNLOAD

Download Fudo Enterprise 5.4.6

Download PDF version of this Release Note along with the "Before You Upgrade" manual.

Fudo Enterprise 5.4.5

This minor release of Fudo includes the following improvements and bug fixes.

IMPROVEMENTS

• Added the possibility to set an empty certificate in the Active Directory External Authenticationmethod configuration, which will result in the TLS certificate verification being disabled.
• Improved performance of the Dashboardand Accounts
• Enabled username-only login through bastion for unambiguous configurations, applicable when asingle forward or regular account with a defined login is reachable through this bastion listener, pointing to either a server with full mask or a pool with only one such server.
• Enabling Call Homefeature now automatically activates sending diagnostics.
• 'Last login'column display has been restored in the Users list on the User
• Arrow icon visibility was enhanced in the server address field of Access gateway GUI.
• The GUI has been updated to display messages about upcoming discontinuation of certain features in the next major release.

BUG FIXES

• Resolved multiple issues related to establishing a session using Remote Desktop Services functionality:
  • Fixed an issue with no possibility to establish RDS connection by Native Client.
  • Fixed an issue related to problems with establishing RDS connection when the Listener's local IP address value is set to 'Any'.
  • Fixed an issue with no possibility to establish RDP session via the Native client using a domain in the connect string.
  • Fix for an issue related to the RDP redirection problem.
• Fixed an issue related to the visibility of the Start Menu bar on a Web Client RDP connection.
• Fixed an issue with incorrect handling of uploaded files containing certificates and private keys for RDP and HTTP listeners.
• Fixed an issue with no possibility to update the Client secret in OpenID Connect authentication method.
• Fixed a Fudo startup issue occurring after increasing the disk size and performing an upgrade.
• Fixed an issue with the wrong CPU and memory usage display on the dashboard page.
• Fixed an issue preventing login to HTTP servers when the '@' sign is included in account logins.
• Fixed an issue affecting time presentation on websites accessed via HTTP rendered sessions; now time aligns with the timezone settings configured in the Admin Panel.
• Fixed an issue related to incorrect synchronization handling when no mappings are configured for one of the added LDAP domains.
• Fix for an issue with assigning 'archive'as a node on which session should be prepared to download.
• Fixed login issue with <username>#<server> string for regular Accounts with empty logins.
• Fixed an issue where initial replication during the cluster creation process fails due to custom password changers referencing Account or Server objects.
• Fix for an issue with no possibility to change the Server/Pool assignment for the Accounts created using the Discovery functionality.
• Fixed an issue related to incorrect assignment of grants to Users for managing Account objects.
• Updated objects permission assignment lists to exclude Users with redundant roles.
• Fix for an issue with the missing 'Select all'checkbox in the User permissions assignment section.
• Fixed Azure backup functionality.
• Fix an issue with unsuccessful protocol connections due to internal service errors.
• Resolved a problem causing system unresponsiveness during extensive cluster replications.
• Fix for an issue related to storage health check reporting errors when the period for deleting retained data was set to an empty value.

DOWNLOAD

Download Fudo Enterprise 5.4.5

Download PDF version of this Release Note along with the "Before You Upgrade" manual.

Fudo Enterprise 5.4.2

This is a major Fudo release, introducing new features, improvements, API changes, and bug fixes.

NEW FEATURES

• Enhanced Discovery feature:
  • Two new Discovery scanner types added:
    • Domain Controller Serversscanner for discovering servers on domain controllers,
    • Windows Local Accountsscanner for discovering local accounts on Windows servers.
  • Enhanced Accountsscanners:
    • Now you have the possibility to choose password changer and password changer policy, which will be automatically assigned to discovered accounts.
    • Password changers have the ability to assign predefined values, which should be configured to determine how the password changer will function immediately after being assigned to a discovered and onboarded account.
    • You can use Base DNand Group DN during Domain Controller Accounts scan.
• Added support for LAPS and CyberArk Credential Provider external password repositories.
• The LDAP synchronization has been enhanced to include certificate subject assignment and SSH key retrieval from the domain. Now you can obtain a subject from the user’s certificate or retrieve an SSH key from the certificate to assign it as one of the user's authentication methods.
• Support for Kerberos in Active Directory external authentication method. The Kerberos authentication option is enabled by default and can be enabled or disabled globally. By enabling it, Kerberos will be used as a first step in RDP sessions authentication against the server and in the Active Directory external authentication method.
• Uploading servers list from CSV file. This new functionality enables you to create a large number of servers automatically based on data placed in a text file.
• Support for SFTP backup protocol.
• Support for certificate authentication in the Management Panel.

IMPROVEMENTS

• Optimization of the Listeners tab interface - configuring, searching, and filtering listeners is now easier and faster.
• Optimization of the Users tab interface - configuring, searching, and filtering users is now easier and faster.

API CHANGES

• New endpoints related to enhanced Discovery features implemented. Now you can use batch requests to assign onboarded and quarantined status to discovered accounts or servers.
• Introduced in APIv2/healthcheck endpoint allows to check the overall health of Fudo Enterprise and verify its proper functioning.
• The new /statusendpoint allows retrieving detailed information about the Fudo Enterprise status, including cluster status, CPU cores temperature, disk status, system load, device memory utilization, number of currently active sessions, and more.
• The new endpoints related to external password repository management allow for creating, changing, deleting, and retrieving the information about existing external password repositories.
• New API Key user authentication method added. Reminder: The new method should be used instead of APIv1 api/system/login endpoint. Support for this endpoint will be removed in the next release.
• The new Atomic functionality introduced to enhance batch operations execution control and ensure that all batch requests must be fulfilled.

DISCONTINUED FEATURES

• Fudo Enterprise 5.4 no longer supports password changers custom plugins
• Fudo Enterprise push notifications are now managed on a custom server. Fields related to push notifications were removed from the license content. It won’t be possible to upload a license containing apns_key, apns_cert and fmc_key
• The One Time Passwordauthentication method is no longer supported. Please remove all instances of this method before the upgrade.

ANNOUNCEMENTS

• Fudo Enterprise 5.4 is the last version supporting CyberArk Enterprise Password Vault external password repository. The support will be removed in the next release. Users using this integration need to migrate to CyberArk Credential Provider external repository.
• Fudo Enterprise 5.4 is the last version supporting Application to Application Password Manager. The AAPM will be replaced by the functionality of APIv2 in the next release.
• Fudo Enterprise 5.4 is the last version supporting Ticketing systems. The support will be removed in the next release.
• Fudo Enterprise 5.4 is the last version supporting APIv1. The support will be removed in the next release. All scripts using this APIv1 should be rewritten to use APIv2.

BUG FIXES

• Access Gateway timeout rule changed - logout is not automatically performed when there is at least one active Web Client session.
• Fixed issue of Users with the Operator role access loss to Servers after upgrading Fudo Enterprise.
• Fixed issue with duplicates on the sessions list and problems with sessions preview.
• Fixed issue with the fudopvauthorization error when using monitored connection getpass fudo.
• Changed the default length of the OATH token to 6 digits to ensure compatibility with common authentication apps.
• Fixed an issue with the missing "Upload CA certificate" option while creating a Scanner for the Discovery feature.
• Fixed issue related to Native connection button display error while OTP and Web Client options are disabled for current Safe.
• Fixed issue related to highlighting active Access policy buttons in the Safe configuration tab.
• Fix for an issue related to the DUO authentication method not working properly.
• Fix for an issue regarding the possibility of saving SMS authentication method form with empty fields.
• Fix for an issue with clearing the Response reasonfield after accepting/rejecting the access request or after reopening the Request response
• Fixed issue related to displaying fields for Host, IPv4, and IPv6 configuration while editing a Server.
• Fix for an issue with marking sessions as backed up even when the backup option was disabled.
• Fixed issue with terminating the MySQL sessions in the Session player.
• Fixed issue with missing login fields during authentication when using the incorrect OpenID Connect setup.
• Fixed issue with displaying long Accounts names in the Safe creation form.
• Fixed issue with unnecessary logs displaying while creating an Account.
• Fixed issue related to display resolution scaling in Native Client RDP connections.
• Fixed issue related to desktop flickering in Web Client RDP connections after resizing the browser tab.
• Fixed issue with missing login process status indication on the Admin Panel login screen.

BEFORE YOU UPGRADE

It is highly recommended to perform the “Upgrade check” before the proper upgrade. The result of the failed check may contain information about configuration changes that needs to be done by a Fudo administrator to successfully upgrade Fudo.

There are a few things that need to be verified before this upgrade can be applied:

• Make sure your Fudo instance isn’t undergoing any system-wide process, such as storage rebuild, or the system isn’t under full-load.
• In a cluster configuration, make sure all nodes are synchronized and upgrade the slave node first.
• Make sure you have an active Premium or Standard Support maintenance contract.

IMPORTANT INFORMATION FOR UPGRADING FROM VERSIONS 5.2.x AND OLDER

Due to the significant changes in the database, the upgrading process from 5.2.x and older versions might take more time than usual.

There are a few things that need to be verified before the upgrade can be applied:

• Make sure your Fudo instance isn't undergoing any system-wide process, such as storage rebuild, or the system isn't under full-load.
• In a cluster configuration, make sure all nodes are synchronized and upgrade the slave node first.
• Make sure you have an active Premium or Standard Support maintenance contract.
• As of Fudo PAM 5.3, Citrix, ICA, and Oracle protocols are no longer supported; it is required to remove the sessions (except those already exported) associated with these protocols.
• It is required to have the  “Use root store certificates” option enabled in every HTTP server configuration.
• “Hitachi ID Privileged Access Manager” and “Lieberman Enterprise Random Password” must be  removed from the External password repositories configuration.
• Users with names containing ‘#’ or ‘%’ chars must be removed or renamed.
• If there are multiple servers with the same address and port pair but different protocols, then only one of them can be left and the other must be removed.
• Remote app configuration must be removed from all the servers and accounts.
• In password changers configuration the server properties: “protocol”, “secproto”, “ssl_to_server”,  “ssl_v2”, “ssl_v3”, “subnet” are no longer supported and must be removed.
• Port number 8888 is now reserved. Listeners using this port must be modified to use another port.
• Port numbers greater or equal 60000 are now reserved. Listeners using these ports must be modified to use other ports.

RECOMMENDED UPGRADE PATH

Before proceeding with the upgrade, please verify the version number of your Fudo Enterprise instance. Depending on the version number, you will need to follow a specific upgrade path. To learn more, please refer to this article.

HOW TO UPGRADE YOUR FUDO

1. Login to your Fudo Admin Panel.
2. Select ‘Settings > System’ from the main menu on the left-hand side and go to the ‘Upgrade’ tab.
3. If your Fudo is running in a cluster, start the upgrade on the Slave node, and only when the upgrade finishes successfully start upgrading the Master node. When both systems are running the same Fudo version cluster communication will be restored.
4. Select “Upload” from the top right side and upload the previously downloaded and unzipped upgrade package file.
5. Select “Run Check” to determine if your upgrade file is correct and can be applied to the existing Fudo configuration. Refresh your browser window to see “Upgrade check” current progress.
6. Upon a successful “Run Check” result, upgrade your Fudo by using the “Upgrade” button. Upon system restart, all active sessions will be terminated.

THE ROLLBACK PROCEDURE

If you are experiencing issues with the newly installed version, you have an option to roll back to the previous version of Fudo running on this machine. To do so, click the user menu on the top right, select ‘Restart’, and select previous system revision from the drop-down list.

DOWNLOAD

Download Fudo Enterprise 5.4.2

Download PDF version of this Release Note.

Fudo Enterprise 5.4.1

This is a major Fudo release Beta version, introducing new features, improvements, API changes, and bug fixes.

NEW FEATURES

• Enhanced Discovery feature:
  • Two new Discovery scanner types added:
    • Domain Controller Servers scanner for discovering servers on domain controllers,
    • Windows Local Accounts scanner for discovering local accounts on Windows servers.
  • Enhanced Accounts scanners:
    • Now you have the possibility to choose password changer and password changer policy, which will be automatically assigned to discovered accounts.
    • Password changers have the ability to assign predefined values, which should be configured to determine how the password changer will function immediately after being assigned to a discovered and onboarded account.
    • You can use Base DN and Group DN during Domain Controller Accounts scan.
• Added support for LAPS and CyberArk Credential Provider external password repositories.
• The LDAP synchronization has been enhanced to include certificate subject assignment and SSH key retrieval from the domain. Now you can obtain a subject from the user’s certificate or retrieve an SSH key from the certificate to assign it as one of the user's authentication methods.
• Support for Kerberos in Active Directory external authentication method.
• Uploading servers list from CSV file. This new functionality enables you to create a large number of servers automatically based on data placed in a text file.

IMPROVEMENTS

• Optimization of the Listeners tab interface - configuring, searching, and filtering listeners is now easier and faster.
• Optimization of the Users tab interface - configuring, searching, and filtering users is now easier and faster.

API CHANGES

• New endpoints related to enhanced Discovery features implemented. Now you can use batch requests to assign onboarded and quarantined status to discovered accounts or servers.
• Introduced in APIv2 /healthcheck endpoint allows to check the overall health of Fudo Enterprise and verify its proper functioning.
• The new /status endpoint allows retrieving detailed information about the Fudo Enterprise status, including cluster status, CPU cores temperature, disk status, system load, device memory utilization, number of currently active sessions, and more.
• The new endpoints related to external password repository management allow for creating, changing, deleting, and retrieving the information about existing external password repositories.

DISCONTINUED FEATURES

• Fudo Enterprise 5.4 no longer supports password changers custom plugins functionality.
• Fudo Enterprise push notifications are now managed on a custom server. Fields related to push notifications were removed from the license content. It won't be possible to upload a license containing apns_key, apns_cert and fmc_key
• The One Time Password authentication method is no longer supported. Please remove all instances of this method before the upgrade.

ANNOUNCEMENTS

• Fudo Enterprise 5.4 is the last version supporting CyberArk Enterprise Password Vault external password repository. The support will be removed in the next release. Users using this integration need to migrate to CyberArk Credential Provider external repository.

BEFORE YOU UPGRADE

It is highly recommended to perform the “Upgrade check” before the proper upgrade. The result of the failed check may contain information about configuration changes that needs to be done by a Fudo administrator to successfully upgrade Fudo.

There are a few things that need to be verified before this upgrade can be applied:

• Make sure your Fudo instance isn’t undergoing any system-wide process, such as storage rebuild, or the system isn’t under full-load.
• In a cluster configuration, make sure all nodes are synchronized and upgrade the slave node first.
• Make sure you have an active Premium or Standard Support maintenance contract.

HOW TO UPGRADE YOUR FUDO

1. Login to your Fudo Admin Panel.
2. Select ‘Settings > System’ from the main menu on the left-hand side and go to the ‘Upgrade’ tab.
3. If your Fudo is running in a cluster, start the upgrade on the Slave node, and only when the upgrade finishes successfully start upgrading the Master node. When both systems are running the same Fudo version cluster communication will be restored.
4. Select “Upload” from the top right side and upload the previously downloaded and unzipped upgrade package file.
5. Select “Run Check” to determine if your upgrade file is correct and can be applied to the existing Fudo configuration. Refresh your browser window to see “Upgrade check” current progress.
6. Upon a successful “Run Check” result, upgrade your Fudo by using the “Upgrade” button. Upon system restart, all active sessions will be terminated.

THE ROLLBACK PROCEDURE

If you are experiencing issues with the newly installed version, you have an option to roll back to the previous version of Fudo running on this machine. To do so, click the user menu on the top right, select ‘Restart’, and select previous system revision from the drop-down list.

DOWNLOAD

Download Fudo Enterprise 5.4.1

CONTACT US

If you have questions or concerns, please get in touch at support@fudosecurity.com or by phone: +48 22 100 67 09.

Sincerely,
Fudo Security Team