FortiClient improper access control exposes users’ VPN credentials

FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations.

Fortinet provided security updates for its next-generation endpoint protection FortiClient product that address a serious information disclosure vulnerability.

The flaw, tracked as CVE-2017-14184, could be exploited by an attacker to obtain VPN authentication credentials.

FortiClient is a powerful product that includes many components and features such as web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features.

Experts at SEC Consult discovered security flaws that can be exploited to access VPN authentication credentials associated with the product.

“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the project description published by SEC Consult.

SEC Consult rated the issue as “high severity”, while Fortinet has assigned it a 4/5 risk rating.

The first issue is related to the fact that the VPN credentials are stored in a configuration file, on both Linux and macOS systems, and in the registry on Windows. This means that for an attacker the configuration files are easily accessible.

The second issue is related to the fact that decryption key for credentials is hardcoded in the application and it’s the same for all the Fortinet installs. An attacker can find the key and decrypt the passwords.

“FortiClient stores the VPN authentication credentials in a configuration file (on Linux or Mac OSX) or in registry (on Windows). The credentials are encrypted but can still be recovered since the decryption key is hardcoded in the program and the same on all installations. Above all, the aforementioned storage is world readable, which actually lays the foundation for the credential recovery.” continues the analysis published by SEC Consult.

The flaws are very insidious especially in enterprise environments when an insider with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account.

“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the advisory published by Fortinet.

SEC Consult has developed a proof-of-concept (PoC) tool that leverages on these issued to recover passwords, the company plans to release it in the future giving the users the time to update their FortiClient installs.

According to Fortinet the flaw affects FortiClient 5.6.0 and earlier for Windows and Mac, and version 4.4.2334 and earlier of the SSL VPN client for Linux. Android and iOS apps are not impacted.

Versions FortiClient 5.6.1 for Windows and Mac, and FortiClient 4.4.2335 for Linux, running FortiOS 5.4.7 fixed the problems.

Below the Vendor contact timeline:

2017-08-30: Contacting vendor through psirt@fortinet.com
2017-09-19: Contacting vendor again due to lost message
2017-09-20: Vendor confirmed and assigned CVE-2017-14184 to the issues
2017-10-19: Vendor requested to postpone the release date
2017-11-02: Vendor informed the fix for Windows and OS X was done
2017-11-22/23: Vendor released 5.6.1 for OS X and 5.6.2 for Windows
2017-12-08: Vendor informed that the fix for Linux is available together with FortiOS release version 5.4.7
2017-12-13: Public disclosure of advisory

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mirai botnet, DDoS)

[adrotate banner=”5″]

[adrotate banner=”13″]