Fortinet Forticlient security update

Number: AV17-193
Date: 14 December 2017

Purpose

The purpose of this advisory is to bring attention to an update for Fortinet’s FortiClient endpoint protection.

Assessment

CCIRC is aware of a critical information disclosure vulnerability in Fortinet’s FortiClient.  Exploitation of this vulnerability may allow for unwanted disclosure of VPN authentication credentials, allowing a regular user to harvest other user’s encrypted credentials and decrypt them into plaintext using a hard coded key.

Affected Versions:

• FortiClient for Windows: 5.6.0 and versions below
• FortiClient for Mac OSX 5.6.0 and versions below
• FortiClient SSLVPN Client for Linux 4.4.2334 and versions below

CVE reference: CVE-2017-14184

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

• FortiClient for Windows: Upgrade to 5.6.1
• FortiClient for Mac OSX: Upgrade to 5.6.1
• FortiClient SSLVPN Client for Linux: Upgrade to 4.4.2335 released together with FortiOS 5.4.7

References:

• https://fortiguard.com/psirt/FG-IR-17-214
• http://seclists.org/fulldisclosure/2017/Dec/43
• https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html  
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14184