



SEC Consult has created a proof-of-concept (PoC) tool that exploits the vulnerability to recover passwords, but it will only be made public after users have had a chance to update their FortiClient installations. “(Internal) attackers with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account (e.g. “The vulnerabilities are mostly problematic in an enterprise environment where the VPN is often authenticated against domain accounts,” Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek. An attacker can easily find the encrypted passwords and decrypt them using the hardcoded key. The second issue is that while the credentials are stored in an encrypted form, the decryption key is hardcoded in the application and it’s the same across all installations. One of the problems is related to the fact that the VPN credentials are stored in a configuration file (on Linux and macOS) and in the registry (on Windows) – locations that are easily accessible. Researchers at SEC Consult have discovered a couple of issues that can be exploited to access VPN authentication credentials associated with the product. Updates released by Fortinet for its FortiClient product patch a serious information disclosure vulnerability that can be exploited to obtain VPN authentication credentials.įortiClient is a next-generation endpoint protection product that includes web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features for desktop and mobile systems running Windows, macOS, Linux, Android and iOS.
