CVE-2019-17655

Name of the Vulnerable Software and Affected Versions FortiOS versions 6.2.0 through 6.2.2 FortiOS version 6.0.9 and earlier FortiProxy version 2.0.0 FortiProxy version 1.2.9 and earlier

Description A cleartext storage vulnerability may allow an attacker to retrieve a logged-in SSL VPN user's credentials if the attacker can read the session file stored on the targeted device's system. This issue is related to the storage of confidential information in an unencrypted form. To exploit this weakness, another unrelated weakness, such as a system file leaking vulnerability, would need to be exploited first.

Recommendations For FortiOS versions 6.2.0 through 6.2.2, update to a version that fixes the cleartext storage issue. For FortiOS version 6.0.9 and earlier, update to a version that fixes the cleartext storage issue. For FortiProxy version 2.0.0, update to a version that fixes the cleartext storage issue. For FortiProxy version 1.2.9 and earlier, update to a version that fixes the cleartext storage issue. As a temporary workaround, consider restricting access to the session file stored on the targeted device's system to minimize the risk of exploitation.