lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5180D604.6070205@objectif-securite.ch>
Date: Wed, 01 May 2013 10:44:52 +0200
From: Philippe oechslin <philippe.oechslin@...ectif-securite.ch>
To: full-disclosure@...ts.grok.org.uk
Subject: Forticlient VPN client credential interception
	vulnerability


We found this one year ago. Although most versions have been patched we
haven't seen any public info on this yet.


FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY
============================================================

Description
-----------
The Fortinet FortiClient VPN client on all available platforms suffers
from a certificate validation vulnerability which allows an attacker
to successfully run a man-in-the-middle attack and to steal the
credentials of the user.

When the FortiClient VPN client is tricked into connecting to a proxy
server rather than to the original firewall (e.g. through ARP or DNS
spoofing,) it detects the wrong SSL certificate but it only warns the
user _AFTER_ it has already sent the password to the proxy.

Rating
------
Critical. User can not prevent interception. Intercepted credentials
give full access to VPN.

Vulnerable versions:
-------------------
Tested:
- FortiClient Lite 4.3.3.445 on Windows 7
- FortiClient SSL VPN 4.0.2012 for Linux on Ubuntu
- FortiClient Lite Android 2.0

Acknowledged by vendor
- FortiClient v4.3.3 - Patch 3 on Windows
- FortiClient v4.0 - Patch 2 on MacOS

History
-------
April 11, 2012: Vendor first contacted
May 2, 2012: Problem acknowledged
Dec 21, 2012: Vendor has patched all versions except Android v2


Current Status
--------------
April 2013:
Android FortiClient Lite v2.0.0223 still not patched and available on
Play Store.
Linux version not supported anymore. Apparently no patch available.

According to vendor all other versions have been patched on all
available platforms (as of V4.3 patch 11).


Credit:
-------
Discovered by Cédric Tissières and Philippe Oechslin, Objectif Sécurité

www.objectif-securite.ch

-- 
Philippe Oechslin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ