FortiOS SSL VPN user credential plaintext storage

Summary

A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN may allow an attacker to retrieve a logged-in SSL VPN user's credentials should that attacker be able to read the session file stored on the targeted device's system.


To successfully exploit this weakness, another unrelated weakness (eg: a system file leaking vulnerability) would therefore need to be exploited first.

Affected Products

FortiOS 6.2.0 to 6.2.2, 6.0.9 and below, 5.6.13 and below.

Solutions

Upgrade to FortiOS 6.0.10 or 6.2.3 or 5.6.14 or above

Revision History:
2020-01-27 Initial Version
2020-06-26 New fix on 6.0.10 released.
2021-07-29 New fix on 5.6.14 released