VPN credentials disclosure in Fortinet FortiClient

Published: 2017-12-13 15:59:50
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 1.6 (AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
CVSSv3 2.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE ID CVE-2017-14184
CWE ID CWE-200
Exploitation vector Local
Public exploit Not available
Vulnerable software Fortinet FortiClient
Vulnerable software versions Fortinet FortiClient 5.6.0
Vendor URL Fortinet, Inc
Advisory type Public

Security Advisory

1) Information disclosure

Description

The vulnerability allows a local user to obtain potentially sensitive information.

The vulnerability exists due to improper storage of encrypted VPN authentication credentials. A local user can retrieve VPN users credentials from the binary file.

Remediation

Update to version 5.6.1.

External links

https://fortiguard.com/psirt/FG-IR-17-214

Back to List