Forticlient VPN client credential interception vulnerability

2013.06.26
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 5.4/10
Impact Subscore: 6.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: None

FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY ============================================ Description ----------- The Fortinet FortiClient VPN client on all available platforms suffers from a certificate validation vulnerability which allows an attacker to successfully run a man-in-the-middle attack and to steal the credentials of the user. When the FortiClient VPN client is tricked into connecting to a proxy server rather than to the original firewall (e.g. through ARP or DNS spoofing,) it detects the wrong SSL certificate but it only warns the user _AFTER_ it has already sent the password to the proxy. Rating ------ Critical. User can not prevent interception. Intercepted credentials give full access to VPN. Vulnerable versions: ------------------- Tested: - FortiClient Lite 4.3.3.445 on Windows 7 - FortiClient SSL VPN 4.0.2012 for Linux on Ubuntu - FortiClient Lite Android 2.0 Acknowledged by vendor - FortiClient v4.3.3 - Patch 3 on Windows - FortiClient v4.0 - Patch 2 on MacOS History ------- April 11, 2012: Vendor first contacted May 2, 2012: Problem acknowledged Dec 21, 2012: Vendor has patched all versions except Android v2 Current Status -------------- April 2013: Android FortiClient Lite v2.0.0223 still not patched and available on Play Store. Linux version not supported anymore. Apparently no patch available. According to vendor all other versions have been patched on all available platforms (as of V4.3 patch 11). Credit: ------- Discovered by Cdric Tissires and Philippe Oechslin, Objectif Scurit www.objectif-securite.ch -- Philippe Oechslin

References:

http://www.objectif-securite.ch


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top