FortiClient insecure VPN credential storage Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-214 Final 1 1 2018-04-20T00:00:00 Current version 2018-04-20T00:00:00 2018-04-20T00:00:00 In certain conditions, FortiClient users' VPN credentials are stored in improperly secured locations and unsafely encrypted.[CVE-2017-14184]When the FortiClient "Save Password" feature is enabled (disabled by default), and when users make use of it, FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; users sharing the same workstation may therefore be able to see each other's encrypted credentials.[CVE-2017-17543]Users' VPN authentication credentials are unsafely encrypted in multiple FortiClient distributions, due to the use of a static encryption key and weak encryption algorithms. Information disclosure FortiClient for Windows:[CVE-2017-14184] 5.6.0 and below versions.[CVE-2017-17543] 5.6.0 and below versions.FortiClient for Mac OSX:[CVE-2017-14184] 5.6.0 and below versions.[CVE-2017-17543] 5.6.0 and below versions.FortiClient SSLVPN Client for Linux:[CVE-2017-14184] 4.4.2334 and below versions.[CVE-2017-17543] 4.4.2335 and below versions.FortiClient Android:Not Impacted.FortiClient EMS:Not Impacted.FortiClient IOSNot Impacted. FortiClient for Windows:[CVE-2017-14184] Upgrade to 5.6.1[CVE-2017-17543] Upgrade to 5.6.1FortiClient for Mac OSX:[CVE-2017-14184] Upgrade to 5.6.1[CVE-2017-17543] Upgrade to 5.6.1FortiClient SSLVPN Client for Linux:[CVE-2017-14184] Upgrade to 4.4.2335 released together with FortiOS 5.4.7[CVE-2017-17543] Upgrade to 4.4.2336 released together with FortiOS 6.0.0WorkaroundsA scheduled upgrading to the resolved versions is strongly recommended to maximum the security protection.When a FortiClient upgrade is not feasible temporarily, it is suggested to disable the FortiClient "Save Password" feature from FortiOS, end users need stop using this option on FotiClient and change their passwords right after that. To ensure remove any cached credentials in operation systems, perform a FortiClient uninstall then reinstall is also recommended.To disable the "Save Password" feature, on FortiOS, run the following CLI command:For SSL VPN:config vpn ssl web portaledit [portal-name]set save-password disablenextendFor IPSec:config vpn ipsec phase1edit [vpn-name]set save-password disablenextendconfig vpn ipsec phase1-interfaceedit [vpn-name]set save-password disablenextendUpdate History:12-07-2017 Initial version04-10-2018 FortiClient SSLVPN Client for Linux fixed CVE-2017-17543 in 4.0.2336 https://fortiguard.fortinet.com/psirt/FG-IR-17-214 FortiClient insecure VPN credential storage https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html Fortinet is pleased to thank "M. Li of SEC Consult Vulnerability Lab" and "Ci&T Software S/A Brazil" reporting these vulnerabilities separately under responsible disclosure. CVE-2017-14184 CVE-2017-17543 0 https://fortiguard.fortinet.com/psirt/FG-IR-17-214 FortiClient insecure VPN credential storage Reference> https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html