CVE-2020-7041
Description
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because an X509_check_host negative error code is interpreted as a successful return value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
openfortivpn 1.11.0 mishandles X509_check_host return values, allowing MITM attacks via invalid certificates.
Vulnerability
The openfortivpn VPN client version 1.11.0, when built with OpenSSL 1.0.2 or later, contains a certificate validation flaw in tunnel.c. The function X509_check_host returns a negative error code on failure, but the code incorrectly interprets any non-zero return value as success. Consequently, a server certificate whose hostname mismatch or other validation failure results in a negative return code is accepted as valid. This affects all installations of openfortivpn 1.11.0 using OpenSSL 1.0.2+ [1][2].
Exploitation
An attacker in a network position to intercept or redirect VPN traffic (e.g., on the same network segment, or via DNS spoofing) can present a crafted TLS certificate to the vulnerable client. The client's flawed validation logic will treat the negative return code from X509_check_host as a pass, allowing the connection to proceed. No additional authentication or user interaction beyond initiating a VPN connection is required.
Impact
Successful exploitation enables a man-in-the-middle (MITM) attacker to decrypt, read, and modify the VPN tunnel's traffic. The attacker can also impersonate the legitimate VPN gateway, gaining access to credentials and other sensitive data transmitted during the session. The impact is a complete compromise of confidentiality, integrity, and availability of the VPN connection.
Mitigation
The vulnerability is fixed in openfortivpn version 1.12.0, which corrects the return value handling of X509_check_host [2]. Users should upgrade to version 1.12.0 or later. No workaround is available for version 1.11.0. Fedora package announcements reference updates addressing this issue; users of affected distributions should apply the provided updates [3][4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- openfortivpn/openfortivpndescription
- Range: = 1.11.0
- osv-coords3 versionspkg:rpm/opensuse/openfortivpn&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/openfortivpn&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openfortivpn&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.12.0-lp151.2.5.1+ 2 more
- (no CPE)range: < 1.12.0-lp151.2.5.1
- (no CPE)range: < 1.17.1-1.1
- (no CPE)range: < 1.12.0-bp151.3.3.1
Patches
2cd9368c6a1b4openfortivpn version 1.12.0
2 files changed · +13 −1
CHANGELOG.md+12 −0 modified@@ -14,6 +14,18 @@ Releases This high level changelog is usually updated when a release is tagged. On the master branch there may be changes that are not (yet) described here. +### 1.12.0 + +* [-] fix CVE-2020-7043: TLS Certificate CommonName NULL Byte Vulnerability +* [-] fix CVE-2020-7042: use of uninitialized memory in X509_check_host +* [-] fix CVE-2020-7041: incorrect use of X509_check_host (regarding return value). +* [-] always hide cleartest password in -vv output +* [+] add a clear warning about sensitive information in the debug output +* [+] add a hint in debug output when password is read from config file +* [-] fix segfault when connecting with empty password +* [+] use resolvconf if available to update resolv.conf file +* [~] replace semicolon by space in dns-suffix string + ### 1.11.0 * [+] allow to connect with empty password (and with smartcard instead of username)
configure.ac+1 −1 modified@@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.63]) -AC_INIT([openfortivpn], [1.11.0]) +AC_INIT([openfortivpn], [1.12.0]) AC_CONFIG_SRCDIR([src/main.c]) AM_INIT_AUTOMAKE([foreign subdir-objects])
60660e00b80bcorrectly check return value of X509_check_host
1 file changed · +2 −1
src/tunnel.c+2 −1 modified@@ -666,7 +666,8 @@ static int ssl_verify_cert(struct tunnel *tunnel) #ifdef HAVE_X509_CHECK_HOST // Use OpenSSL native host validation if v >= 1.0.2. - if (X509_check_host(cert, common_name, FIELD_SIZE, 0, NULL)) + // correctly check return value of X509_check_host + if (X509_check_host(cert, common_name, FIELD_SIZE, 0, NULL) == 1) cert_valid = 1; #else // Use explicit Common Name check if native validation not available.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.opensuse.org/opensuse-security-announce/2020-03/msg00009.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00011.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKNKSGBVYGRRVRLFEFBEKUEJYJR5LWOF/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FF6HYIBREQGATRM5COF57MRQWKOKCWZ3/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SRVVNXCNTNMPCIAZIVR4FAGYCSU53FNA/mitrevendor-advisoryx_refsource_FEDORA
- github.com/adrienverge/openfortivpn/commit/60660e00b80bad0fadcf39aee86f6f8756c94f91mitrex_refsource_CONFIRM
- github.com/adrienverge/openfortivpn/commit/cd9368c6a1b4ef91d77bb3fdbe2e5bc34aa6f4c4mitrex_refsource_MISC
- github.com/adrienverge/openfortivpn/issues/536mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.