Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4235 Console window of FortiClient for Mac OS displays password in clear-text 11 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiClient Publisher: Fortiguard Operating System: Mac OS Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-15704 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-227 - --------------------------BEGIN INCLUDED TEXT-------------------- Console window of FortiClient for Mac OS displays password in clear-text. IR Number : FG-IR-19-227 Date : Nov 08, 2019 Risk : 2/5 Impact : Information Disclosure CVE ID : CVE-2019-15704 CVE ID : CVE-2019-15704 Summary A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway. Impact Information Disclosure Affected Products FortiClient for Mac OS version 6.2.0 and below. FortiClient for Mac OS version 6.0.7 and below. Solutions Please upgrade to FortiClient for Mac OS version 6.2.1 and above. Please upgrade to FortiClient for Mac OS version 6.0.8 and above. Acknowledgement Fortinet is pleased to thank Raymond Lopez and Mihai Florea for reporting this issue under responsible disclosure and for helping us make our products more secure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcjeYWaOgq3Tt24GAQiVYBAAzhdLEteQ0ovse9FYpd3echmHc/FYanQl 1rZ8Gh7Pw/Eg7cHCKJFeGzwaAXeJn+Oty7QvOj1pfZePbzQt28B80O906vuf4txM AejehXAqI74wFrNGPfqCsKsMZoAzJ5ND0BAQDQy+nSv3E1c6cy4OU9OCzn2VV5pt LdC2Zm9zkirYaMInE390wxmPc1dVTeSvozdsnJJ3N7qDvDONHR1erK7CPSafH/FX KUTlv59vbzXLSh2MEW9l01Syl1uFVnKe658BBNa5weDXptjTzC/3indzQqFccJ4U iQbk3UDSFrIvkEw/ITt1G2xdEHBXpL6NT1B/EocBqN8bqOqUwRh7YRIT2JG4Bfxe +04SMHo34f/Mcna+oRnHdMO9U79T/vPHVufGZCyniFO3ocbkjWxSGILG8fagY8Na 3yEVSEPgKB9jOfx/SuAXU5UABgv5CtwKQMi34oGPoaY6Z+yMTcIYu+8Q/UdsJkdz /gCAWZFYg3ZqdpGtb6LAsC1c4Xsq/kTUbN0RQ5XlwJBwE0u/wTETzcbGRm1KZCod O7iNv1h8EM29J8xkvYt0fYPtt5sKJpoJ9oETT2ljnbXHzVVQfUDHfnylksjf7Xv9 6Wf19inydYDCnX6GmZtSiiTYBynYuNGgIUCRyVUfEQH3aNPv/Pi05kxJwp3oqrcJ FThw3CPmDB0= =72L4 -----END PGP SIGNATURE-----