CVE-2017-17543 — Inadequate Encryption Strength in Fortinet Forticlient

CWE-326 — Inadequate Encryption Strength CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 79.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Forticlient Fortinet Forticlient Sslvpn Client Fortinet INC Forticlient FOR MAC OSX +2 more

Timeline

PublishedApr 26

Latest updateMay 13

Description

Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption key and weak encryption algorithms.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5fortinet_inc/forticlient_sslvpn_client_for_linux4.4.2335 and below versions

▶NVDfortinet/forticlient_sslvpn_client4.4.2335

▶CVEListV5fortinet_inc/forticlient_for_windows5.6.0 and below versions

▶NVDfortinet/forticlient5.6.0

▶CVEListV5fortinet_inc/forticlient_for_mac_osx5.6.0 and below versions

🔴Vulnerability Details

GHSA

GHSA-94g8-mrxq-q59c: Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5↗2022-05-13

▶

CVEList

CVE-2017-17543: Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5↗2018-04-26

▶

📋Vendor Advisories

Fortinet

An Information Disclosure vulnerability in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Ma...↗2017-12-15

▶