CVE-2020-7043: 
FortiClient VPN vulnerability analysis and mitigation

An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL before 1.0.2. The vulnerability (CVE-2020-7043) involves improper certificate validation in tunnel.c where hostname comparisons fail to consider null ('\0') characters, making it possible for attackers to perform person-in-the-middle attacks using specially crafted certificates (e.g., good.example.com\x00evil.example.com) (GitHub Security Lab).

The vulnerability stems from the use of strncasecmp function for certificate hostname validation, which incorrectly handles null bytes in the certificate's CommonName field. When openfortivpn is compiled against an OpenSSL library that doesn't provide the X509_check_host function (OpenSSL < 1.0.2), the client improperly verifies the server's certificate hostname. The vulnerability allows an attacker to create a certificate with a CommonName containing a null byte to bypass hostname verification (GitHub Security Lab).

This vulnerability enables attackers who can obtain valid certificates from a Certificate Authority with specially crafted CommonNames to perform person-in-the-middle attacks against VPN clients. This could potentially lead to the interception of network traffic between the client and the VPN server (GitHub Security Lab).

The vulnerability was fixed in openfortivpn version 1.12.0. The fix involves replacing the vulnerable hostname validation code with a secure implementation from iSECPartners, which properly handles null bytes in certificate fields. Users should upgrade to version 1.12.0 or later to protect against this vulnerability (GitHub Commit).

Multiple Linux distributions responded to the vulnerability by releasing security updates, including Fedora 30, 31, and 32, which packaged and distributed the fixed version 1.12.0 to their users (Fedora Update).