Forticlient 7.2.2 with vulnerable OpenSSL Library DLLs in Path

StephanG · ‎04-24-2024

Hi everyone,

we are using the free Forticlient 7.2.2.

Following versions do not have a security fix included (says Fortinet website and MS Defender vuln scan)

But in the path of the installation we have these DLLs:

Defender says - exposed to:
CVE-2024-2511 CVE-2023-5678 CVE-2023-6237 CVE-2024-0727 CVE-2023-5363 CVE-2023-4807

We are now urged to update to 7.2.4 (which fixes this problem) but comes with another one.

We are using SAML with Entra and if we install the newest version - the client stops at 40% and does not connect if we have more than 1 certificate in "personal certificates"

Question: Is the client vulnerable because the DLL is vulnerable? And if yes - why is there no info in the release notes of 7.2.4 then?

Best regards

Stephan

hbac · ‎04-24-2024

Hi @StephanG,

For information regarding vulnerabilities, please refer to https://www.fortiguard.com/encyclopedia/endpoint-vuln/76603

Regards,

StephanG · ‎04-24-2024

This is what i found - but it does not mention a fix in 7.2.3+.

And as long as we cannot connect with 7.2.4 we cannot deploy it in our environment.
I see that there is already a thread for this behavior opened up:
Forticlient 7.2.4 trying to use certificates when ... - Page 3 - Fortinet Community
So we need to wait for the fix then.

Forticlient 7.2.2 with vulnerable OpenSSL Library DLLs in Path

Nominate a Forum Post for Knowledge Article Creation