Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Forticlient VPN Client Credential Interception

🗓️ 01 May 2013 00:00:00Reported by Cedric TissieresType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 16 Views

Forticlient VPN Client Credential Interception Vulnerability discovered by Cédric Tissières and Philippe Oechslin. Critical man-in-the-middle attack vulnerability in FortiClient VPN client, allows interception of user credentials. Most versions patched, Android v2 and Linux version remain unpatched

Code
`  
We found this one year ago. Although most versions have been patched we  
haven't seen any public info on this yet.  
  
  
FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY  
============================================================  
  
Description  
-----------  
The Fortinet FortiClient VPN client on all available platforms suffers  
from a certificate validation vulnerability which allows an attacker  
to successfully run a man-in-the-middle attack and to steal the  
credentials of the user.  
  
When the FortiClient VPN client is tricked into connecting to a proxy  
server rather than to the original firewall (e.g. through ARP or DNS  
spoofing,) it detects the wrong SSL certificate but it only warns the  
user _AFTER_ it has already sent the password to the proxy.  
  
Rating  
------  
Critical. User can not prevent interception. Intercepted credentials  
give full access to VPN.  
  
Vulnerable versions:  
-------------------  
Tested:  
- FortiClient Lite 4.3.3.445 on Windows 7  
- FortiClient SSL VPN 4.0.2012 for Linux on Ubuntu  
- FortiClient Lite Android 2.0  
  
Acknowledged by vendor  
- FortiClient v4.3.3 - Patch 3 on Windows  
- FortiClient v4.0 - Patch 2 on MacOS  
  
History  
-------  
April 11, 2012: Vendor first contacted  
May 2, 2012: Problem acknowledged  
Dec 21, 2012: Vendor has patched all versions except Android v2  
  
  
Current Status  
--------------  
April 2013:  
Android FortiClient Lite v2.0.0223 still not patched and available on  
Play Store.  
Linux version not supported anymore. Apparently no patch available.  
  
According to vendor all other versions have been patched on all  
available platforms (as of V4.3 patch 11).  
  
  
Credit:  
-------  
Discovered by Cédric Tissières and Philippe Oechslin, Objectif Sécurité  
  
www.objectif-securite.ch  
  
--   
Philippe Oechslin  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 May 2013 00:00Current
7.4High risk
Vulners AI Score7.4
forticlientvpncredential interceptionman-in-the-middle attackvendor patchandroidlinux
16