Fortinet Forticlient security update

Number: AV17-193
Date: 14 December 2017

Purpose

The purpose of this advisory is to bring attention to an update for Fortinet’s FortiClient endpoint protection.

Assessment

CCIRC is aware of a critical information disclosure vulnerability in Fortinet’s FortiClient.  Exploitation of this vulnerability may allow for unwanted disclosure of VPN authentication credentials, allowing a regular user to harvest other user’s encrypted credentials and decrypt them into plaintext using a hard coded key.

Affected Versions:

  • FortiClient for Windows: 5.6.0 and versions below
  • FortiClient for Mac OSX 5.6.0 and versions below
  • FortiClient SSLVPN Client for Linux 4.4.2334 and versions below

CVE reference: CVE-2017-14184

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

  • FortiClient for Windows: Upgrade to 5.6.1
  • FortiClient for Mac OSX: Upgrade to 5.6.1
  • FortiClient SSLVPN Client for Linux: Upgrade to 4.4.2335 released together with FortiOS 5.4.7

References:

Date modified: