Fortinet FortiClient Windows privilege escalation vulnerability (CVE-2017-7344) at logon

cyber

Summary

Editor: Fortinet

Product: FortiClient

Title: Fortinet FortiClient Windows privilege escalation at logon

CVE ID: CVE-2017-7344

Intrinsec ID: ISEC-V2017-01

Risk level: high

Exploitable: Locally, or remotely if the logon screen is exposed (e.g. through RDP without NLA required). Requires non-default configuration on the client (« Enable VPN before logon »). Requires an invalid certificate on the VPN endpoint side, or a MITM attacker presenting an invalid certificate (e.g. stolen laptop scenario).

Impact: Privilege escalation: from anonymous to SYSTEM, and Windows lock screen bypass

Description

This vulnerability affects the Fortinet FortiClient program. FortiClient is a client program used to connect to SSL/IPsec VPN endpoints.

A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN profile before logon. An attacker, with physical, or remote (e.g. through TSE, VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.

The vulnerability lies in the confirmation dialog shown when the server certificate is not valid (e.g. default auto-signed certificate, or Man-In-The-Middle with SSL/TLS interception situation).

Versions affected

  • FortiClient Windows 5.6.0
  • FortiClient Windows 5.4.3 and earlier

Solutions

Upgrade to FortiClient Windows 5.4.4 or 5.6.1.

However, we tested the latest version and we discovered some bypasses of the fix under certain circumstances. We have shared our findings with Fortinet who is working on a more complete fix. We do not intend to share more details until this issue is fixed.

 

Enabling the « Do not warn invalid server certificate » option would prevent this issue but it is strongly discouraged since it allows silent Man-in-the-Middle attacks.

Deploying a valid certificate on the VPN endpoint mitigates the issue in standard situations, however when an attacker is in a MITM situation they will present an invalid certificate to the FortiClient, regardless of the legitimate server certificate. This is not sufficient to resolve the issue.

Credits

Vulnerability discovered by Clément Notin / @cnotin.

Vulnerability disclosed in coordination with the CERT-Intrinsec.

Exploitation details

Setup

Windows 7 Professional x64, English. FortiClient, vulnerable version:

Create VPN connection in FortiClient with a FortiGate endpoint (or try with any domain having an invalid certificate, such as expired.badssl.com):

To read the original article:

http://securite.intrinsec.com/2017/12/22/cve-2017-7344-fortinet-forticlient-windows-privilege-escalation-at-logon/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Fake Prime Express Travel statement delivers Globeimposter ransomware

The next in the never ending series of malware downloaders from the Necurs botnet is an email with the subject of   Outstanding Statement  pretending to come from Prime Express Oldham <sales62@primeexpressuk.com>  ( random numbers after sales) delivering Globeimposter ransomware They use email addresses and subjects that will entice, persuade, scare or shock  a […]