MitM attack in Fortinet FortiClient



Published: 2024-06-11
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-3661
CWE-ID CWE-300
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe 		Fortinet FortiClient for Windows
Server applications / Other server solutions

FortiClient (Linux)
Client/Desktop applications / Software for system administration

FortiClient (macOS)
Client/Desktop applications / Software for system administration

Vendor Fortinet, Inc

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Man-in-the-Middle (MitM) attack

EUVDB-ID: #VU91755

Risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-3661

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to way the VPN client handles routes advertised by the DHCP server. A remote attacker with access to the local network can route the victim's traffic to a malicious server instead of sending it via a secured channel.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiClient for Windows: 0 - 7.2.4

FortiClient (Linux): 6.0.0 - 7.2.4

FortiClient (macOS): 5.6.6 - 7.2.4

External links

http://datatracker.ietf.org/doc/html/rfc2131#section-7
http://datatracker.ietf.org/doc/html/rfc3442#section-7
http://tunnelvisionbug.com/
http://www.leviathansecurity.com/research/tunnelvision
http://news.ycombinator.com/item?id=40279632
http://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
http://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
http://issuetracker.google.com/issues/263721377
http://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
http://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
http://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
http://news.ycombinator.com/item?id=40284111
http://www.agwa.name/blog/post/hardening_openvpn_for_def_con
http://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
http://www.fortiguard.com/psirt/FG-IR-24-170


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###