#VU91755 Man-in-the-Middle (MitM) attack in Fortinet, Inc products
Vulnerability identifier: #VU91755
Vulnerability risk: Medium
CVSSv3.1: 4.4 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-300
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Fortinet FortiClient for Windows
Server applications /
Other server solutions
FortiClient (Linux)
Client/Desktop applications /
Software for system administration
FortiClient (macOS)
Client/Desktop applications /
Software for system administration
Vendor: Fortinet, Inc
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to way the VPN client handles routes advertised by the DHCP server. A remote attacker with access to the local network can route the victim's traffic to a malicious server instead of sending it via a secured channel.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Fortinet FortiClient for Windows: 7.0.0 - 7.0.12, 7.2.0 - 7.2.4, 6.4.0 - 6.4.10, 6.2.0 - 6.2.9, 6.0.0 - 6.0.10, 5.6.0 - 5.6.6, 5.4.0 - 5.4.5, 5.2.0 - 5.2.8, 5.0.1 - 5.0.11, 4.3.0 - 4.3.3.445, 4.2.0, 4.1.0, 4.0.0 - 4.0.2, 0, 1.2.0 - 1.2.5, 1.0.0 - 1.0.5
FortiClient (Linux): 6.0.0 - 7.2.4
FortiClient (macOS): 5.6.6 - 7.2.4
External links
http://datatracker.ietf.org/doc/html/rfc2131#section-7
http://datatracker.ietf.org/doc/html/rfc3442#section-7
http://tunnelvisionbug.com/
http://www.leviathansecurity.com/research/tunnelvision
http://news.ycombinator.com/item?id=40279632
http://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
http://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
http://issuetracker.google.com/issues/263721377
http://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
http://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
http://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
http://news.ycombinator.com/item?id=40284111
http://www.agwa.name/blog/post/hardening_openvpn_for_def_con
http://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
http://www.fortiguard.com/psirt/FG-IR-24-170
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
