Weak Encryption in Fortinet FortiClient Leading to Credential Exposure
CVE-2017-17543

7.5HIGH

Key Information:

Vendor: Fortinet
Status: Forticlient For Windows; Forticlient For Mac Osx; Forticlient Sslvpn Client For Linux
Vendor: CVE Published:; 26 April 2018

Summary

The Fortinet FortiClient applications for Windows, Mac OSX, and Linux exhibit a security flaw where VPN authentication credentials are inadequately encrypted. This issue arises from the reliance on a static encryption key combined with the use of outdated and weak encryption algorithms. Consequently, sensitive user credentials could be exposed to unauthorized individuals, potentially leading to serious security breaches. Organizations using affected versions are advised to update their FortiClient installations promptly to mitigate risks.

Affected Version(s)

FortiClient for Mac OSX 5.6.0 and below versions

FortiClient for Windows 5.6.0 and below versions

FortiClient SSLVPN Client for Linux 4.4.2335 and below versions

References

https://fortiguard.com/advisory/FG-IR-17-214

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2018
Vulnerability Reserved
Dec 11, 2017