Fortinet FortiClient VPN Credential Disclosure

`SEC Consult Vulnerability Lab Security Advisory < 20171213-0 >  
=======================================================================  
title: VPN credentials disclosure  
product: Fortinet FortiClient  
vulnerable version: <4.4.2335 on Linux, <5.6.1 on Windows,  
<5.6.1 on Mac OSX  
fixed version: 4.4.2335 on Linux, 5.6.1 on Windows, 5.6.1 on Mac OS X  
CVE number: CVE-2017-14184  
impact: High  
homepage: https://www.fortinet.com/ | http://forticlient.com/  
found: 2017-08-29  
by: M. Li (Office Singapore)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"From the start, the Fortinet vision has been to deliver broad, truly  
integrated, high-performance security across the IT infrastructure.  
  
We provide top-rated network and content security, as well as secure access  
products that share intelligence and work together to form a cooperative  
fabric. Our unique security fabric combines Security Processors, an intuitive  
operating system, and applied threat intelligence to give you proven security,  
exceptional performance, and better visibility and control--while providing  
easier administration."  
  
Source: https://www.fortinet.com/corporate/about-us/about-us.html  
  
  
Business recommendation:  
------------------------  
The patched FortiClient versions should be installed immediately as the VPN  
credentials could be decrypted by an attacker.  
  
  
Vulnerability overview/description:  
-----------------------------------  
FortiClient stores the VPN authentication credentials in a configuration file  
(on Linux or Mac OSX) or in registry (on Windows). The credentials are  
encyrpted but can still be recovered since the decryption key is hardcoded  
in the program and the same on all installations. Above all, the aforementioned  
storage is world readable, which actually lays the foundation for the  
credential recovery.  
  
  
Proof of concept:  
-----------------  
1) Hardcoded key  
The hardcoded key can be disclosed on the Linux version by issuing the following  
command:  
$ strings forticlientsslvpn |grep "fc_1A"  
fc_1A2Brown3Fox4Jumped5Over6A7Lazy8Dog  
  
The same decryption key can be found in the Windows and Mac OSX binary.  
  
  
2) Overly permissive access control  
The read access of the configuration file is set for "others" too, making the file  
world-readable. On Mac OSX, the file can be found under  
/Library/Application Support/Fortinet/FortiClient/conf/vpn.plist  
while the same dataset is stored in the registry key  
HKLM\SOFTWARE\WOW6432Node\Fortinet\FortiClient\Sslvpn\Tunnels  
on Windows, which is world-readable for all users as well.  
  
$ ls -l /home/user/.fctsslvpnhistory  
-rw-rw-rw- 1 root root 1227 Aug 23 12:26 .fctsslvpnhistory  
$ cat /home/user/.fctsslvpnhistory  
...  
profile=demo  
p12passwdenc=Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51  
path=  
passwordenc=Enc  
420d2ee65abded897a69c50f49956909f61e3e549873cdfecf12bafdfa7b78f789a17ba1a5a6c9eb1803  
user=li  
port=443  
server=server.com  
...  
  
  
Combining the two issues, an attacker can steal the password of any user who  
has a FortiClient profile on the system. In an enterprise environment, where  
employees usually log onto VPN server with their domain credentials, a vicious  
employee can extensively harvest the credentials of colleagues by logging onto the  
workstation where the credentials have been stored. Hence an attacker might  
steal credentials of any user in the domain and gain access to their user account  
(e.g. emails, other private data).  
  
  
SEC Consult developed a proof of concept tool which takes as input the encrypted  
string, and prints the decrypted hexdecimal bytes followed by the recovered  
password. For now, this tool will not be released to give users more time to  
patch.  
  
  
$ kr  
420d2ee65abded897a69c50f49956909f61e3e549873cdfecf12bafdfa7b78f789a17ba1a5a6c9eb1803  
0x50 0x61 0x73 0x73 0x77 0x6f 0x72 0x64  
0x52 0x65 0x63 0x6f 0x76 0x65 0x72 0x65  
0x64 0x00  
PasswordRecovered  
  
  
The advisory on our website also contains further detailed technical information  
with screenshots:  
https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been identified in version 4.4.2332 on Linux, version  
5.6.0.1075 on Windows as well as version 5.6.0.703 on Mac OSX, which were the  
latest version of the product at the audit time to our best knowledge.  
  
  
Vendor contact timeline:  
------------------------  
2017-08-30: Contacting vendor through [email protected]  
2017-09-19: Contacting vendor again due to lost message  
2017-09-20: Vendor confirmed and assigned CVE-2017-14184 to the issues  
2017-10-19: Vendor requested to postpone the release date  
2017-11-02: Vendor informed the fix for Windows and OS X was done  
2017-11-22/23: Vendor released 5.6.1 for OS X and 5.6.2 for Windows  
2017-12-08: Vendor informed that the fix for Linux is available together  
with FortiOS release version 5.4.7  
2017-12-13: Public disclosure of advisory  
  
  
Solution:  
---------  
According to the vendor, all the identified issues have been fixed in the  
following versions:  
* FortiClient for Windows v5.6.1  
* FortiClient for Mac OSX v5.6.1  
* FortiClient SSLVPN Client for Linux v4.4.2335 released together with FortiOS  
5.4.7  
  
For further information see the website of the vendor:  
https://fortiguard.com/psirt/FG-IR-17-214  
  
Please upgrade to the latest version immediately.  
  
  
Workaround:  
-----------  
It is recommended not to save the password and remove "read/write" permissions  
for low privileged users or groups.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF M. Li / @2017  
  
`