#VU47108 Improper validation of certificate with host mismatch in Fortinet FortiClient for Windows

Cybersecurity Help s.r.o.

Published: 2020-09-25

Vulnerability identifier: #VU47108

Vulnerability risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-297

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Fortinet FortiClient for Windows
Server applications / Other server solutions

Vendor: Fortinet, Inc

Description

The vulnerability allows a remote attacker to perform a MitM attack.

The vulnerability exists in FortiClient SSL-VPN client due to the application does not properly validate server certificates and checks only if the certificate was issued by a trusted CA or Fortinet itself. A remote attacker can supply a certificate, issued to a different Fortigate router and perform a Man-in-the-Middle attack.

Successful exploitation of the vulnerability may allow an attacker to intercept and descrypt all traffic, protected with Fortinet SSL-VPN.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Fortinet FortiClient for Windows: 0, 1.0.0 - 1.0.5, 1.2.0 - 1.2.5, 4.0.0 - 4.0.2, 4.1.0, 4.2.0, 4.3.0 - 4.3.3.445, 5.0.1 - 5.0.11, 5.2.0 - 5.2.028, 5.4.0 - 5.4.5, 5.6.0 - 5.6.6, 6.0.0 - 6.0.8, 6.2.0 - 6.2.2, 6.4.0

External links
https://securingsam.com/breaching-the-fort/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

MitM attack in Fortinet Forticlient