CVE-2024-50570: 
FortiClient vulnerability analysis and mitigation

A Cleartext Storage of Sensitive Information vulnerability (CVE-2024-50570) affects FortiClient Windows and FortiClient Linux. The vulnerability was discovered and disclosed on December 18, 2024, impacting multiple versions of FortiClient across Windows, Linux, and Mac platforms. The affected versions include FortiClientWindows 7.4.0-7.4.1, 7.2.0-7.2.6, 7.0.0-7.0.13, FortiClientLinux 7.4.0-7.4.2, 7.2.0-7.2.7, 7.0.0-7.0.13, and FortiClientMac versions in the 7.0-7.4 range (Fortinet PSIRT).

The vulnerability, identified as CWE-312, stems from improper handling of sensitive information by JavaScript's garbage collector, which allows VPN passwords to be exposed in memory. The vulnerability has been assigned a CVSS v3.1 score of 5.0 (Medium), with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N, indicating that successful exploitation requires local access, high privileges, and user interaction (NVD).

If exploited, this vulnerability enables local authenticated users to retrieve VPN passwords through memory dumps. This could potentially lead to unauthorized access to VPN connections and compromise of sensitive network resources (Fortinet PSIRT).

Fortinet has released patches for all affected versions and recommends upgrading to the following versions: FortiClient 7.4.3 or above for 7.4 versions, 7.2.8 or above for 7.2 versions, and 7.0.14 or above for 7.0 versions. As temporary workarounds, users can enable two-factor authentication under user configuration in FortiOS and ensure the FortiClient console closes automatically after VPN connection establishment. For SAML authentication users, the vulnerability is mitigated when using FortiClient's built-in browser as long as the console closes after VPN connection (Fortinet PSIRT).