PSIRT Advisory

FortiClient insecure VPN credential storage and encryption

Summary

In certain conditions, FortiClient users' VPN credentials are stored in improperly secured locations and unsafely encrypted.

[CVE-2017-14184]

When the FortiClient "Save Password" feature is enabled (disabled by default), and when users make use of it, FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; users sharing the same workstation may therefore be able to see each other's encrypted credentials.

[CVE-2017-17543]

Users' VPN authentication credentials are unsafely encrypted in multiple FortiClient distributions, due to the use of a static encryption key and weak encryption algorithms.

Impact

Information Disclosure

Affected Products

FortiClient for Windows:
[CVE-2017-14184] 5.6.0 and below versions.
[CVE-2017-17543] 5.6.0 and below versions.

FortiClient for Mac OSX:
[CVE-2017-14184] 5.6.0 and below versions.
[CVE-2017-17543] 5.6.0 and below versions.

FortiClient SSLVPN Client for Linux:
[CVE-2017-14184] 4.4.2334 and below versions.
[CVE-2017-17543] 4.4.2335 and below versions.

The following products are NOT impacted:
FortiClient Android
FortiClient EMS
FortiClient IOS

Solutions

FortiClient for Windows:
[CVE-2017-14184] Upgrade to 5.6.1
[CVE-2017-17543] Upgrade to 5.6.1

FortiClient for Mac OSX:
[CVE-2017-14184] Upgrade to 5.6.1
[CVE-2017-17543] Upgrade to 5.6.1

FortiClient SSLVPN Client for Linux:
[CVE-2017-14184] Upgrade to 4.4.2335 released together with FortiOS 5.4.7
[CVE-2017-17543] Upgrade to 4.4.2336 released together with FortiOS 6.0.0

Workarounds

A scheduled upgrading to the resolved versions is strongly recommended to maximum the security protection.

When a FortiClient upgrade is not feasible temporarily, it is suggested to disable the FortiClient "Save Password" feature from FortiOS, end users need stop using this option on FotiClient and change their passwords right after that. To ensure remove any cached credentials in operation systems, perform a FortiClient uninstall then reinstall is also recommended.

To disable the "Save Password" feature, on FortiOS, run the following CLI command:

For SSL VPN:
config vpn ssl web portal
edit [portal-name]
set save-password disable
next
end

For IPSec:
config vpn ipsec phase1
edit [vpn-name]
set save-password disable
next
end
config vpn ipsec phase1-interface
edit [vpn-name]
set save-password disable
next
end

Update History:
12-07-2017 Initial version
04-10-2018 FortiClient SSLVPN Client for Linux fixed CVE-2017-17543 in 4.0.2336

Acknowledgement

Fortinet is pleased to thank "M. Li of SEC Consult Vulnerability Lab" and "Ci&T Software S/A Brazil" reporting these vulnerabilities separately under responsible disclosure.