thehat Posted May 12, 2013 Report Posted May 12, 2013 The Fortinet FortiClient VPN client on all available platforms suffers from a certificate validation vulnerability which allows an attacker to successfully run a man-in-the-middle attack and to steal the credentials of the user.We found this one year ago. Although most versions have been patched wehaven't seen any public info on this yet.FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY============================================================Description-----------The Fortinet FortiClient VPN client on all available platforms suffersfrom a certificate validation vulnerability which allows an attackerto successfully run a man-in-the-middle attack and to steal thecredentials of the user.When the FortiClient VPN client is tricked into connecting to a proxyserver rather than to the original firewall (e.g. through ARP or DNSspoofing,) it detects the wrong SSL certificate but it only warns theuser _AFTER_ it has already sent the password to the proxy.Rating------Critical. User can not prevent interception. Intercepted credentialsgive full access to VPN.Vulnerable versions:-------------------Tested:- FortiClient Lite 4.3.3.445 on Windows 7- FortiClient SSL VPN 4.0.2012 for Linux on Ubuntu- FortiClient Lite Android 2.0Acknowledged by vendor- FortiClient v4.3.3 - Patch 3 on Windows- FortiClient v4.0 - Patch 2 on MacOSHistory-------April 11, 2012: Vendor first contactedMay 2, 2012: Problem acknowledgedDec 21, 2012: Vendor has patched all versions except Android v2Current Status--------------April 2013:Android FortiClient Lite v2.0.0223 still not patched and available onPlay Store.Linux version not supported anymore. Apparently no patch available.According to vendor all other versions have been patched on allavailable platforms (as of V4.3 patch 11).Credit:-------Discovered by Cédric Tissières and Philippe Oechslin, Objectif SécuritéObjectif Sécurité - Accueil-- Philippe OechslinSursa: Forticlient VPN Client Credential Interception ? Packet Storm Quote
