Headline
CVE-2022-33878: Fortiguard
An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiClient for Mac versions 7.0.0 through 7.0.5 may allow a local authenticated attacker to obtain the SSL-VPN password in cleartext via running a logstream for the FortiTray process in the terminal.
** PSIRT Advisories**
FortiClient (MAC) - FortiTray stores the SSLVPN password in cleartext
Summary
An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiClient for Mac may allow a local authenticated attacker to obtain the SSL-VPN password in cleartext via running a logstream for the FortiTray process in the terminal.
Affected Products
FortiClientMac version 7.0.0 through 7.0.5
Solutions
Please upgrade to FortiClientMac version 7.0.6 or above
Acknowledgement
Fortinet is pleased to thank Pavel Bondarenko for reporting this vulnerability under responsible disclosure.
References
- Disable “Save Password” setting either on FortiGate SSLVPN settings or in FortiClientMAC