Vulnerability: Fortinet’s FortiClient leaks VPN client credentials

[German]The NextGeneration Endpoint Protection solution from Fortinet, FortiClient, contains also a VPN client. This client exposes credentials, but an update is available. I don't know, if blog readers are using FortiClient, but I'm publishing the information as public service announcement here within my blog.


Advertising

FortiClient from Fortinet is available for Linux, Mac, and Windows. The product is advertised by the vendor as a NextGeneration Endpoint Protection solution (Antivirus). The software provides endpoint protection against new malware threats. In addition, the software enables the software and hardware inventory to be controlled throughout the entire security structure. You should be able to identify endangered or compromised hosts with the software. That's the theory.

Fortinet's FortiClient also contains a VPN client, designed to 'provide a secure and reliable access to enterprise networks and applications from virtually any remote location connected to the Internet'.

A vulnerability in FortiClient

Security researchers from SecConsult have now published a Security Advisory, where they are warning about a vulnerability in VPN client. Background: FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication data in improperly secured locations.

Under Linux and macOS, FortiClient stores the VPN authentication credentials in a configuration file. In Windows, these VPN authentication credentials are left within the registry at:

HKLM\SOFTWARE\WOW6432Node\Fortinet\FortiClient\Sslvpn\Tunnels


Advertising

The credentials are encrypted, but can still be recovered since the decryption key is hardcoded in the program and the same decryption key is used on all installations.

According to the Security Advisory, the hardcoded key can be disclosed on the Linux version by issuing the following command:

$ strings forticlientsslvpn |grep "fc_1A"
fc_1A2Brown3Fox4Jumped5Over6A7Lazy8Dog

According to SecConsult, an attacker can steal the password of any user who has a FortiClient profile on the system. In an enterprise environment, where employees usually log onto VPN server with their domain credentials, a vicious employee can extensively harvest the credentials of colleagues by logging onto the workstation where the credentials have been stored. Hence an attacker might steal credentials of any user in the domain and gain access to their user account (e.g. emails, other private data).

The vulnerability (CVE-2017-14184) affects FortiClient 5.6.0 and earlier on Windows and macOS, and FortiClient 4.4.2334 and earlier for Linux. Fortinet has published an Advisory and released updates for Windows (FortiClient 5.6.2), and macOS (FortiClient 5.6.1), and Linux (together with FortiOS 5.4.7). Further details may be obtained from the Fortinet Advisory and SecConsult's Security Advisory. (via)


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *