FortiClient insecure VPN credential storage and encryption

Summary

In certain conditions, FortiClient users' VPN credentials are stored in improperly secured locations and unsafely encrypted.

[CVE-2017-14184]

When the FortiClient "Save Password" feature is enabled (disabled by default), and when users make use of it, FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; users sharing  the same workstation may therefore be able to see each other's encrypted credentials.

[CVE-2017-17543]

Users' VPN authentication credentials are unsafely encrypted in multiple FortiClient distributions, due to the use of a static encryption key and weak encryption algorithms.

Affected Products

FortiClient for Windows:
[CVE-2017-14184] 5.6.0 and below versions.
[CVE-2017-17543] 5.6.0 and below versions.
FortiClient for Mac OSX:
[CVE-2017-14184] 5.6.0 and below versions.
[CVE-2017-17543] 5.6.0 and below versions.
FortiClient SSLVPN Client for Linux:
[CVE-2017-14184] 4.4.2334 and below versions.
[CVE-2017-17543] 4.4.2335 and below versions.
FortiClient Android:
Not Impacted.
FortiClient EMS:
Not Impacted.
FortiClient IOS
Not Impacted.

Solutions

FortiClient for Windows: [CVE-2017-14184] Upgrade to 5.6.1 [CVE-2017-17543] Upgrade to 5.6.1 FortiClient for Mac OSX: [CVE-2017-14184] Upgrade to 5.6.1 [CVE-2017-17543] Upgrade to 5.6.1 FortiClient SSLVPN Client for Linux: [CVE-2017-14184] Upgrade to 4.4.2335 released together with FortiOS 5.4.7 [CVE-2017-17543] Upgrade to 4.4.2336 released together with FortiOS 6.0.0 Workarounds A scheduled upgrading to the resolved versions is strongly recommended to maximum the security protection. When a FortiClient upgrade is not feasible temporarily, it is suggested to disable the FortiClient "Save Password" feature from FortiOS, end users need stop using this option on FotiClient and change their passwords right after that. To ensure remove any cached credentials in operation systems, perform a FortiClient uninstall then reinstall is also recommended. To disable the "Save Password" feature, on FortiOS, run the following CLI command: For SSL VPN: config vpn ssl web portal edit [portal-name] set save-password disable next end For IPSec: config vpn ipsec phase1 edit [vpn-name] set save-password disable next end config vpn ipsec phase1-interface edit [vpn-name] set save-password disable next end Update History: 12-07-2017 Initial version 04-10-2018 FortiClient SSLVPN Client for Linux fixed CVE-2017-17543 in 4.0.2336

Acknowledgement

Fortinet is pleased to thank "M. Li of SEC Consult Vulnerability Lab" and "Ci&T Software S/A Brazil" reporting these vulnerabilities separately under responsible disclosure.