PSIRTCredentials can be dumped from memory
Summary
A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiClient Windows and FortiClient Linux may permit a local authenticated user to retrieve VPN password via memory dump, due to JavaScript's garbage collector
| Version | Affected | Solution |
|---|---|---|
| FortiClientLinux 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiClientLinux 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiClientLinux 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiClientWindows 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiClientWindows 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiClientWindows 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
Workarounds:
For all versions (Windows and Linux):
- To mitigate the impact of potentially stolen passwords, enable two-factor authentication under user configuration in FortiOS:
E.g. for a local user:
config user local
edit <user>
set two-factor <option>
next
end
- SAML authentication:
Users using SAML authentication in FortiClient built-in browser are not affected as long as FortiClient console closes after VPN connection.
For FortiClient Windows versions 7.2.6 and 7.4.1 only:
Verify that FortiClient console window automatically closes after successful VPN connection (default setting).
To ensure that FortiClient console automatically closes after VPN tunnel is established, '1' should be included in the "minimize_window_on_connect" section of the XML configuration file as mentioned in the reference:
<minimize_window_on_connect>1</minimize_window_on_connect>
Note that this configuration option can also be controlled by EMS via enabling the "Minimize FortiClient Console on Connect" setting in EMS Remote Access Profile.
Acknowledgement
Fortinet is pleased to thank Efstratios Chatzoglou, Vyron Kampourakis, Zisis Tsiatsikas, Georgios Karopoulos, and Georgios Kambourakis from the University of the Aegean and the Norwegian University of Science and Technology, and Hassan Al-Khafaji from NourNet for reporting this vulnerability under responsible disclosure.Timeline
2024-12-18: Initial publication2025-04-22: Modified affected versions