Zero-Day Vulnerability in FortiClient VPN Allows Credential Theft

Security researchers at Volexity have uncovered a critical zero-day vulnerability in Fortinet's Windows VPN client, FortiClient, that enables attackers to extract user credentials directly from the application's memory. The vulnerability was discovered while investigating the DEEPDATA malware family used by a Chinese threat actor known as BrazenBamboo.

The Discovery

The vulnerability was identified in July 2024 during Volexity's analysis of a DEEPDATA malware sample. The security flaw allows attackers to extract VPN credentials that remain in the process memory even after a user authenticates to the VPN. Volexity reported the vulnerability to Fortinet on July 18, 2024, and while Fortinet acknowledged the issue on July 24, it remains unresolved at the time of publication.

Technical Details

FIGURE 1: FortiClient Memory Extraction Code

The vulnerability exists in FortiClient's latest version (v7.4.0) and allows attackers to extract sensitive information including usernames, passwords, and remote gateway details from two different JSON objects stored in memory. Notably, this approach does not work on older versions of the FortiClient VPN client.

The exploitation technique bears similarities to a previously documented vulnerability from 2016, which also involved credential exposure in memory based on hardcoded offsets. However, that earlier vulnerability was never assigned a CVE identifier.

BrazenBamboo's Arsenal

The discovery was made while investigating DEEPDATA, a sophisticated post-exploitation tool developed by BrazenBamboo. This malware family includes 12 unique plugins designed for various data theft operations, with the FortiClient exploitation capability implemented through a plugin named "msenvico.dll."

FIGURE 2: DEEPDATA Architecture Diagram

FIGURE 3: DEEPDATA Plugin Capabilities Table

DEEPDATA's capabilities extend beyond VPN credential theft to include:

Recommendations

While a patch is pending, organizations using FortiClient VPN should:

The discovery emphasizes the critical importance of regular security auditing of VPN clients and the need for vendors to implement secure credential handling practices in memory-resident applications.

This vulnerability remains unpatched as of November 2024, and no CVE has been assigned yet. Organizations are advised to monitor Fortinet's security advisories for updates.

Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: