lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Dec 2017 15:39:17 +0100
From: SEC Consult Vulnerability Lab <>
To: <>, <>
Subject: [FD] SEC Consult SA-20171213-0 :: VPN credentials disclosure in
 Fortinet FortiClient

SEC Consult Vulnerability Lab Security Advisory < 20171213-0 >
              title: VPN credentials disclosure
            product: Fortinet FortiClient
 vulnerable version: <4.4.2335 on Linux, <5.6.1 on Windows,
                     <5.6.1 on Mac OSX
      fixed version: 4.4.2335 on Linux, 5.6.1 on Windows, 5.6.1 on Mac OS X
         CVE number: CVE-2017-14184
             impact: High
           homepage: |
              found: 2017-08-29
                 by: M. Li (Office Singapore)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."


Business recommendation:
The patched FortiClient versions should be installed immediately as the VPN
credentials could be decrypted by an attacker.

Vulnerability overview/description:
FortiClient stores the VPN authentication credentials in a configuration file
(on Linux or Mac OSX) or in registry (on Windows). The credentials are
encyrpted but can still be recovered since the decryption key is hardcoded
in the program and the same on all installations. Above all, the aforementioned
storage is world readable, which actually lays the foundation for the
credential recovery.

Proof of concept:
1) Hardcoded key
The hardcoded key can be disclosed on the Linux version by issuing the following
$ strings forticlientsslvpn |grep "fc_1A"

The same decryption key can be found in the Windows and Mac OSX binary.

2) Overly permissive access control
The read access of the configuration file is set for "others" too, making the file
world-readable. On Mac OSX, the file can be found under
/Library/Application Support/Fortinet/FortiClient/conf/vpn.plist
while the same dataset is stored in the registry key
on Windows, which is world-readable for all users as well.

$ ls -l /home/user/.fctsslvpnhistory
-rw-rw-rw- 1 root root 1227 Aug 23 12:26 .fctsslvpnhistory
$ cat /home/user/.fctsslvpnhistory
p12passwdenc=Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51

Combining the two issues, an attacker can steal the password of any user who
has a FortiClient profile on the system. In an enterprise environment, where
employees usually log onto VPN server with their domain credentials, a vicious
employee can extensively harvest the credentials of colleagues by logging onto the
workstation where the credentials have been stored. Hence an attacker might
steal credentials of any user in the domain and gain access to their user account
(e.g. emails, other private data).

SEC Consult developed a proof of concept tool which takes as input the encrypted
string, and prints the decrypted hexdecimal bytes followed by the recovered
password. For now, this tool will not be released to give users more time to

$ kr
0x50  0x61  0x73  0x73  0x77  0x6f  0x72  0x64
0x52  0x65  0x63  0x6f  0x76  0x65  0x72  0x65
0x64  0x00

The advisory on our website also contains further detailed technical information
with screenshots:

Vulnerable / tested versions:
The vulnerabilities have been identified in version 4.4.2332 on Linux, version on Windows as well as version on Mac OSX, which were the
latest version of the product at the audit time to our best knowledge.

Vendor contact timeline:
2017-08-30: Contacting vendor through
2017-09-19: Contacting vendor again due to lost message
2017-09-20: Vendor confirmed and assigned CVE-2017-14184 to the issues
2017-10-19: Vendor requested to postpone the release date
2017-11-02: Vendor informed the fix for Windows and OS X was done
2017-11-22/23: Vendor released 5.6.1 for OS X and 5.6.2 for Windows
2017-12-08: Vendor informed that the fix for Linux is available together
            with FortiOS release version 5.4.7
2017-12-13: Public disclosure of advisory

According to the vendor, all the identified issues have been fixed in the
following versions:
* FortiClient for Windows v5.6.1
* FortiClient for Mac OSX v5.6.1
* FortiClient SSLVPN Client for Linux v4.4.2335 released together with FortiOS

For further information see the website of the vendor:

Please upgrade to the latest version immediately.

It is recommended not to save the password and remove "read/write" permissions
for low privileged users or groups.

Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices

Mail: research at sec-consult dot com

EOF M. Li / @2017

Download attachment "smime.p7s" of type "application/pkcs7-signature" (3995 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists