CVE-2024-35282 Overview
A cleartext storage of sensitive information in memory vulnerability (CWE-316) has been identified in FortiClient VPN for iOS. This security flaw allows an unauthenticated attacker with physical access to a jailbroken iOS device to extract cleartext VPN credentials by performing a keychain dump operation. The vulnerability affects a wide range of FortiClient VPN iOS versions across multiple major release branches.
Critical Impact
Attackers with physical access to jailbroken iOS devices can extract VPN credentials in plaintext, potentially compromising enterprise network access and enabling further attacks on corporate infrastructure.
Affected Products
- FortiClient VPN iOS 7.2 (all versions)
- FortiClient VPN iOS 7.0 (all versions)
- FortiClient VPN iOS 6.4 (all versions)
- FortiClient VPN iOS 6.2 (all versions)
- FortiClient VPN iOS 6.0 (all versions)
Discovery Timeline
- 2024-09-10 - CVE-2024-35282 published to NVD
- 2024-09-20 - Last updated in NVD database
Technical Details for CVE-2024-35282
Vulnerability Analysis
This vulnerability stems from improper handling of sensitive credential data within the FortiClient VPN iOS application. The application stores VPN authentication credentials in cleartext within device memory, specifically in the iOS keychain without adequate protection mechanisms. When a device is jailbroken, the normal iOS security sandbox protections are bypassed, allowing malicious actors to access the keychain contents directly.
The vulnerability requires physical access to the target device, limiting the attack surface to scenarios where an attacker can directly interact with a compromised or jailbroken iPhone or iPad. However, the impact is significant as successful exploitation yields VPN credentials that could provide unauthorized access to protected corporate networks.
Root Cause
The root cause of CVE-2024-35282 is the storage of sensitive VPN credentials in cleartext within the iOS keychain (CWE-316: Cleartext Storage of Sensitive Information in Memory, CWE-312: Cleartext Storage of Sensitive Information). FortiClient VPN fails to implement proper encryption or obfuscation of password data before storing it in memory, making the credentials trivially recoverable on jailbroken devices where keychain access controls are circumvented.
Properly secured mobile applications should encrypt sensitive credentials using hardware-backed cryptographic keys or employ secure enclave protection to prevent credential extraction even on compromised devices.
Attack Vector
The attack requires physical access to a jailbroken iOS device running a vulnerable version of FortiClient VPN. An attacker would follow this general approach:
- Obtain physical access to the target iOS device
- Ensure the device is jailbroken (or jailbreak it if possible)
- Use keychain dumping tools available on jailbroken devices to extract keychain contents
- Locate FortiClient VPN entries containing stored credentials
- Extract the cleartext username and password data
The attacker does not require authentication to the application itself, as the credentials are accessible directly from the iOS keychain storage once jailbreak protections are bypassed.
Detection Methods for CVE-2024-35282
Indicators of Compromise
- Unusual VPN login attempts from unexpected geographic locations using valid credentials
- Multiple simultaneous VPN sessions from the same user account
- VPN authentication from devices not matching the user's registered iOS device identifiers
- Evidence of keychain access tools or jailbreak artifacts on managed iOS devices
Detection Strategies
- Implement Mobile Device Management (MDM) solutions to detect jailbroken iOS devices in the enterprise environment
- Monitor VPN authentication logs for anomalous login patterns or credential reuse from unknown devices
- Deploy endpoint detection solutions capable of identifying jailbreak indicators on iOS devices
- Enable multi-factor authentication (MFA) for VPN connections to detect credential theft attempts
Monitoring Recommendations
- Configure alerting for VPN logins from new or unrecognized device identifiers
- Establish baseline VPN usage patterns per user and alert on deviations
- Monitor for concurrent VPN sessions that may indicate credential sharing or theft
- Review FortiClient VPN logs for failed authentication attempts followed by successful logins from different devices
How to Mitigate CVE-2024-35282
Immediate Actions Required
- Audit your environment for jailbroken iOS devices using MDM or endpoint management tools
- Enforce device compliance policies that prevent jailbroken devices from connecting to corporate VPN
- Reset VPN credentials for users whose iOS devices may have been compromised or jailbroken
- Implement multi-factor authentication for all FortiClient VPN connections
- Review the Fortinet Security Advisory for vendor-specific guidance
Patch Information
Fortinet has published a security advisory (FG-IR-24-139) addressing this vulnerability. Organizations should consult the Fortinet Security Advisory for specific patch versions and upgrade instructions. Given that all versions of FortiClient VPN iOS across the 6.0, 6.2, 6.4, 7.0, and 7.2 release branches are affected, users should upgrade to the latest patched version as recommended by Fortinet.
Workarounds
- Enforce MDM policies to block jailbroken devices from accessing corporate resources
- Implement certificate-based authentication instead of or in addition to password-based VPN authentication
- Deploy conditional access policies that require device compliance verification before VPN connection
- Consider using temporary or rotating VPN credentials to limit the window of exposure
- Enable VPN session monitoring and automatic disconnection for suspicious activity patterns
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
