PSIRT Advisory

FortiClient improper access control of users' VPN credentials

Summary

When the FortiClient "Save Password" feature is enabled (disabled by default), and when users make use of it, FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; users sharing the same workstation may therefore be able to see each other's encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.

Impact

Information Disclosure

Affected Products

The following products are affected:

FortiClient for Windows: 5.6.0 and below versions.
FortiClient for Mac OSX: 5.6.0 and below versions.
FortiClient SSLVPN Client for Linux: 4.4.2334 and below versions.

The following products are NOT impacted:

FortiClient Android
FortiClient EMS
FortiClient IOS

Solutions

FortiClient for Windows:
Upgrade to 5.6.1

FortiClient for Mac OSX:
Upgrade to 5.6.1

FortiClient SSLVPN Client for Linux:
Upgrade to 4.4.2335 released together with FortiOS 5.4.7

Workarounds

A scheduled upgrading to the resolved versions is strongly recommended to maximum the security protection.

When a FortiClient upgrade is not feasible temporarily, it is suggested to disable the FortiClient "Save Password" feature from FortiOS, end users need stop using this option on FotiClient and change their passwords right after that. To ensure remove any cached credentials in operation systems, perform a FortiClient uninstall then reinstall is also recommended.

To disable the "Save Password" feature, on FortiOS, run the following CLI command:

For SSL VPN:
config vpn ssl web portal
edit [portal-name]
set save-password disable
next
end

For IPSec:
config vpn ipsec phase1
edit [vpn-name]
set save-password disable
next
end
config vpn ipsec phase1-interface
edit [vpn-name]
set save-password disable
next
end

Acknowledgement

Fortinet is pleased to thank M. Li of SEC Consult Vulnerability Lab for reporting this vulnerability under responsible disclosure.