Number: AV17-193
Date: 14 December 2017
Purpose
The purpose of this advisory is to bring attention to an update for Fortinet’s FortiClient endpoint protection.
Assessment
CCIRC is aware of a critical information disclosure vulnerability in Fortinet’s FortiClient. Exploitation of this vulnerability may allow for unwanted disclosure of VPN authentication credentials, allowing a regular user to harvest other user’s encrypted credentials and decrypt them into plaintext using a hard coded key.
Affected Versions:
- FortiClient for Windows: 5.6.0 and versions below
- FortiClient for Mac OSX 5.6.0 and versions below
- FortiClient SSLVPN Client for Linux 4.4.2334 and versions below
CVE reference: CVE-2017-14184
Suggested Action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
- FortiClient for Windows: Upgrade to 5.6.1
- FortiClient for Mac OSX: Upgrade to 5.6.1
- FortiClient SSLVPN Client for Linux: Upgrade to 4.4.2335 released together with FortiOS 5.4.7
References: