Individuals using Fortinet FortiClient for Windows, Mac OSX and Linux may be vulnerable to having their encrypted VPN credentials stolen and decrypted. This attack would allow threat actors to access any material that the user could access over a VPN connection. The vulnerable versions include version 4.4.2332 on Linux, version 5.6.0.1075 on Windows as well as version 5.6.0.703 on Mac OSX. A consulting company discovered the vulnerability earlier this year and, after assisting Fortinet with patching the issues, has released its technical review [1].

 

What we’re doing about it

  • eSentire Threat Intelligence will continue to monitor the situation for future releases and updates.

 

What you should do about it

  • Users should immediately update to the latest version of FortiClient
  • Version 5.6.1 for Windows
  • Version 5.6.1 for Mac OSX
  • Version 4.4.2335 for Linux
  • It is recommended to not save passwords and remove the read/write permissions of average users

 

Additional information

  • FortiClient makes use of a single hardcoded decryption key that remains the same across all instances and can be discovered in the binary. The configuration settings for read access are highly accepting and the file is world-readable. These two issues can be combined by an attacker to steal passwords of FortiClient clients on the system and decrypt them. At this time, the attack can only be conducted locally.
  • A proof of concept tool that automatically exploits the vulnerabilities has been created by researchers but has not been publicly released at this time.

 

[1] https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory, and Managed Prevention capabilities.