If you’ve used FortiClient on a Mac, especially versions between 7.. and 7..5, you should know about a dangerous vulnerability — CVE-2022-33878. This security issue let local users grab the SSL-VPN password in *cleartext*. That means, with just a terminal command, someone could grab your VPN credentials if they already had access to your computer. Let’s break it down in plain English, look at the code, see how the exploit works, and how you can protect yourself.

The Lowdown: What Is CVE-2022-33878?

- Vulnerability type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Impact: Local authenticated users can easily see VPN passwords in the system logs.

- Cause: The FortiTray process, part of FortiClient, logs VPN connection details — including the password — in cleartext. Anyone with a user account can tap into these logs live.

Why Is This Bad?

If someone else (like a coworker, or someone who sneaks onto your Mac) opens the terminal and runs a certain command, they can see your VPN password as you type it in. This is like writing your bank password on a sticky note — bad news!

The attacker needs local access, but macOS machines are often shared, and attackers sometimes get limited access as the first step.

Code Snippet: Watching FortiTray’s Logs for VPN Passwords

FortiTray is the helper process FortiClient uses, and it logs sensitive information. Here’s the exact terminal command an attacker would use:

log stream --predicate 'process == "FortiTray"' --info

Or, using a quick filter to just passwords

log stream --predicate 'process == "FortiTray"' --info | grep -i password

When the legitimate user types their SSL-VPN password into FortiClient, the attacker’s terminal will *show it right there*.

Example output

2022-08-12 11:12:57.123 FortiTray[9876:302] Sending SSL-VPN connection with user=testuser, password=SuperSecret123!

That’s it. No hacking tools needed — just the terminal.

How Was This Discovered?

Security researchers, and likely some observant admins, caught that FortiClient was writing the password directly into the system log when users connected via VPN. This isn’t the first time logging has leaked credentials — but it’s always a critical issue.

The Fix

Fortinet patched this in version 7..6 and above. If you’re using FortiClient for Mac, check your version right now!

How to update:

Visit the official download page and get the latest FortiClient version for Mac.

Vendor advisory:

Fortinet Security Advisory on CVE-2022-33878

Official References

- NVD Summary for CVE-2022-33878
- CWE-200 Exposure of Sensitive Information
- Fortinet Advisory Link

Upgrade: If you’re on *any* version below FortiClient 7..6 for Mac, upgrade ASAP.

- Audit: Check who has had access to your machine. If you suspect your VPN password might be compromised, change it.
- Best practice: Be cautious with logs. Always assume logs can be read — avoid logging passwords or sensitive credentials.

In Summary

CVE-2022-33878 is a classic "oops" in IT: useful logging went too far and wrote passwords into a place where they could be stolen. It only worked for local attackers, but that’s still a huge risk for shared or vulnerable computers.

Keep your systems — and your secrets — safe by patching quickly and keeping an eye on your logs.

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/04/2022 14:10:00 UTC