Potential sensitive information can be displayed in cleartext in FortiProxy CLI window

Potential sensitive information can be displayed in cleartext in FortiProxy CLI window

Summary

A cleartext storage of sensitive information vulnerability in FortiProxy command line interface may allow an authenticated attacker to obtain sensitive information such as VPN user's passwords by connecting to FortiProxy CLI and executing the "diagnose sys ha checksum show" command.

Impact

Information Disclosure

Affected Products

FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.

Solutions

Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above.

Acknowledgement

Fortinet is pleased to thank Shaun Farrow for reporting this vulnerability under responsible disclosure.