FortiClient Exposes VPN Credentials
A security flaw in Fortinet’s antivirus product has been discovered affecting both home and enterprise level clients. FortiClient, which also includes VPN connectivity, stores VPN credentials in a local file on each system or in the registry for Windows users. Although this file is encrypted, the key is hard-coded in the program and is the same on all installations.
Testing done by Nuspire’s Security Analytics Team shows that even if credentials aren’t stored in the VPN profiles, the program still contains a history of all previous connections, and that holds the password information as well.
Although this attack would require physical access to a device, or a device that is already compromised, it still raises a security concern. Fortinet has issued a patched version of FortiClient and urges all users to upgrade immediately to mitigate this threat. A workaround can also be used that requires all “read/write” access for low privileged users be removed.
The following versions have been fixed by the manufacturer:
- FortiClient for Windows v5.6.1
- FortiClient for Mac OSX v5.6.1
- FortiClient SSLVPN Client for Linux v4.4.2335 released together with FortiOS 5.4.7