The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of FortiClient

computer vulnerability bulletin CVE-2018-9190

FortiClientWindows: NULL pointer dereference via NDIS Miniport drivers

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via NDIS Miniport drivers of FortiClientWindows, in order to trigger a denial of service.
Impacted products: FortiClient.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: document.
Creation date: 11/01/2019.
Identifiers: CERTFR-2019-AVI-017, CVE-2018-9190, FG-IR-18-092, VIGILANCE-VUL-28248.

Description of the vulnerability

An attacker can force a NULL pointer to be dereferenced via NDIS Miniport drivers of FortiClientWindows, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-7344

FortiClient Windows: privilege escalation via VPN Before Logon

Synthesis of the vulnerability

An attacker can bypass restrictions via VPN Before Logon of FortiClient Windows, in order to escalate his privileges.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: physical access.
Creation date: 13/12/2017.
Identifiers: CERTFR-2017-AVI-471, CVE-2017-7344, FG-IR-17-070, VIGILANCE-VUL-24761.

Description of the vulnerability

An attacker can bypass restrictions via VPN Before Logon of FortiClient Windows, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-14184 CVE-2017-17543

FortiClient: privilege escalation via VPN Credentials

Synthesis of the vulnerability

An attacker can bypass restrictions via VPN Credentials of FortiClient, in order to escalate his privileges.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/12/2017.
Identifiers: CERTFR-2017-AVI-453, CVE-2017-14184, CVE-2017-17543, FG-IR-17-214, SEC Consult SA-20171213-0, VIGILANCE-VUL-24707.

Description of the vulnerability

An attacker can bypass restrictions via VPN Credentials of FortiClient, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 24314

FortiClient: privilege escalation via FortiClientNamedPipe

Synthesis of the vulnerability

An attacker can bypass restrictions via FortiClientNamedPipe of FortiClient, in order to escalate his privileges.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 02/11/2017.
Identifiers: CERTFR-2017-AVI-387, CVE-2016-8493-REJECTERROR, FG-IR-16-095, VIGILANCE-VUL-24314.

Description of the vulnerability

An attacker can bypass restrictions via FortiClientNamedPipe of FortiClient, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 22341

Fortinet FortiClient: privilege escalation via subproc

Synthesis of the vulnerability

An attacker can bypass restrictions via subproc of Fortinet FortiClient, in order to escalate his privileges.
Impacted products: FortiClient, FortiOS.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 05/04/2017.
Identifiers: CVE-2016-8497-REJECTERROR, FG-IR-16-013, FG-IR-16-041, VIGILANCE-VUL-22341.

Description of the vulnerability

An attacker can bypass restrictions via subproc of Fortinet FortiClient, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability 22340

Fortinet FortiClient: file corruption via SSLVPN

Synthesis of the vulnerability

A local attacker can create a symbolic link named SSLVPN, in order to alter the pointed file, with privileges of Fortinet FortiClient.
Impacted products: FortiClient, FortiOS.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 05/04/2017.
Identifiers: CVE-2016-8496-REJECTERROR, FG-IR-16-069, VIGILANCE-VUL-22340.

Description of the vulnerability

A local attacker can create a symbolic link named SSLVPN, in order to alter the pointed file, with privileges of Fortinet FortiClient.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-4077 CVE-2015-5735 CVE-2015-5736

Fortinet FortiClient: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Fortinet FortiClient.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading.
Provenance: user account.
Number of vulnerabilities in this bulletin: 4.
Creation date: 02/09/2015.
Revision date: 27/03/2017.
Identifiers: CORE-2015-0013, CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737, VIGILANCE-VUL-17788.

Description of the vulnerability

Several vulnerabilities were announced in Fortinet FortiClient.

An attacker can use the IOCTL 0x22608C of "mdare*_*.sys", to read a memory fragment, in order to obtain sensitive information. [severity:1/4; CVE-2015-4077]

An attacker can use the IOCTL 0x226108 of "mdare*_*.sys", to generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-5735]

An attacker can use the IOCTL 0x220024/0x220028 of "Fortishield.sys", to change a callback, in order to run code. [severity:2/4; CVE-2015-5736]

An attacker can use the IOCTL 0x2220c8, to access to a privileged handle, in order to escalate his privileges. [severity:2/4; CVE-2015-5737]
Full Vigil@nce bulletin... (Free trial)

vulnerability note 20584

FortiClient: disclosure of VPN password

Synthesis of the vulnerability

A local attacker can dump the memory of FortiClient, in order to obtain the VPN password.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user shell.
Creation date: 13/09/2016.
Identifiers: FG-IR-16-021, VIGILANCE-VUL-20584.

Description of the vulnerability

The FortiClient product can be used to connect to a VPN service, so it requests a password to access to the VPN.

However, this password is stored unencrypted in the memory.

A local attacker can therefore dump the memory of FortiClient, in order to obtain the VPN password.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-2542

Flexera InstallShield, JRSoft Inno Setup: code execution via DLL-planting

Synthesis of the vulnerability

An attacker can create a malicious DLL for Flexera InstallShield or JRSoft Inno Setup, in order to run code with administrator privileges.
Impacted products: NetWorker, FortiClient, DB2 UDB, Notes, Tivoli Storage Manager, WebSphere MQ, X2GoClient.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 09/05/2016.
Revisions dates: 02/06/2016, 06/07/2016.
Identifiers: 1610582, 1978168, 1978363, 1979808, 1980839, 1982467, 1982741, 1982809, 1983796, 1983797, 1983813, 1983814, 1983815, 1984184, 1984743, 1984863, 494999, CVE-2016-2542, ESA-2017-008, FG-IR-16-046, VIGILANCE-VUL-19558.

Description of the vulnerability

The products Flexera InstallShield and JRSoft Inno Setup are used to create installation program for software packages.

In some cases, the generated programs load extension modules the name and possible locations depend on the considered package. However, in some cases, the installer looks for these extension DLL in folders which are writeable by unprivileged users, while the installation program that loads and run this DLL is expected to be run by an administrator. A typical case of this is the download folder of a browser. One should note that these installers are expected to be run only a few times, so possibilities of exploit attempts are rare.

This bug has also been reported for other products in the bulletin VIGILANCE-VUL-18671.

An attacker can therefore create a malicious DLL for Flexera InstallShield or JRSoft Inno Setup, in order to run code with administrator privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-0723

Linux kernel: use after free via TIOCGETD

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via TIOCGETD on the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiOS, Android OS, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 19/01/2016.
Identifiers: CERTFR-2016-AVI-070, CERTFR-2016-AVI-073, CERTFR-2016-AVI-082, CERTFR-2016-AVI-099, CERTFR-2016-AVI-103, CERTFR-2016-AVI-110, CERTFR-2016-AVI-114, CERTFR-2016-AVI-159, CVE-2016-0723, DSA-3448-1, DSA-3503-1, FEDORA-2016-2f25d12c51, FEDORA-2016-5d43766e33, FG-IR-16-013, FG-IR-16-041, openSUSE-SU-2016:0537-1, openSUSE-SU-2016:1008-1, openSUSE-SU-2016:2649-1, SOL43650115, SUSE-SU-2016:0585-1, SUSE-SU-2016:0785-1, SUSE-SU-2016:0911-1, SUSE-SU-2016:1102-1, SUSE-SU-2016:1203-1, SUSE-SU-2016:1764-1, SUSE-SU-2016:2074-1, USN-2929-1, USN-2929-2, USN-2930-1, USN-2930-2, USN-2930-3, USN-2932-1, USN-2948-1, USN-2948-2, USN-2967-1, USN-2967-2, VIGILANCE-VUL-18750.

Description of the vulnerability

The TIOCGETD returns the "Line Discipline" of the tty terminal.

However, the function implementing this ioctl frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area via TIOCGETD on the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about FortiClient: