The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Fortinet FortiClient

vulnerability alert CVE-2017-7344

FortiClient Windows: privilege escalation via VPN Before Logon

Synthesis of the vulnerability

An attacker can bypass restrictions via VPN Before Logon of FortiClient Windows, in order to escalate his privileges.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: physical access.
Creation date: 13/12/2017.
Identifiers: CERTFR-2017-AVI-471, CVE-2017-7344, FG-IR-17-070, VIGILANCE-VUL-24761.

Description of the vulnerability

An attacker can bypass restrictions via VPN Before Logon of FortiClient Windows, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-14184 CVE-2017-17543

FortiClient: privilege escalation via VPN Credentials

Synthesis of the vulnerability

An attacker can bypass restrictions via VPN Credentials of FortiClient, in order to escalate his privileges.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/12/2017.
Identifiers: CERTFR-2017-AVI-453, CVE-2017-14184, CVE-2017-17543, FG-IR-17-214, SEC Consult SA-20171213-0, VIGILANCE-VUL-24707.

Description of the vulnerability

An attacker can bypass restrictions via VPN Credentials of FortiClient, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 24314

FortiClient: privilege escalation via FortiClientNamedPipe

Synthesis of the vulnerability

An attacker can bypass restrictions via FortiClientNamedPipe of FortiClient, in order to escalate his privileges.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 02/11/2017.
Identifiers: CERTFR-2017-AVI-387, CVE-2016-8493-REJECTERROR, FG-IR-16-095, VIGILANCE-VUL-24314.

Description of the vulnerability

An attacker can bypass restrictions via FortiClientNamedPipe of FortiClient, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 22341

Fortinet FortiClient: privilege escalation via subproc

Synthesis of the vulnerability

An attacker can bypass restrictions via subproc of Fortinet FortiClient, in order to escalate his privileges.
Impacted products: FortiClient, FortiOS.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 05/04/2017.
Identifiers: CVE-2016-8497-REJECTERROR, FG-IR-16-013, FG-IR-16-041, VIGILANCE-VUL-22341.

Description of the vulnerability

An attacker can bypass restrictions via subproc of Fortinet FortiClient, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability 22340

Fortinet FortiClient: file corruption via SSLVPN

Synthesis of the vulnerability

A local attacker can create a symbolic link named SSLVPN, in order to alter the pointed file, with privileges of Fortinet FortiClient.
Impacted products: FortiClient, FortiOS.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 05/04/2017.
Identifiers: CVE-2016-8496-REJECTERROR, FG-IR-16-069, VIGILANCE-VUL-22340.

Description of the vulnerability

A local attacker can create a symbolic link named SSLVPN, in order to alter the pointed file, with privileges of Fortinet FortiClient.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-4077 CVE-2015-5735 CVE-2015-5736

Fortinet FortiClient: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Fortinet FortiClient.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading.
Provenance: user account.
Number of vulnerabilities in this bulletin: 4.
Creation date: 02/09/2015.
Revision date: 27/03/2017.
Identifiers: CORE-2015-0013, CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737, VIGILANCE-VUL-17788.

Description of the vulnerability

Several vulnerabilities were announced in Fortinet FortiClient.

An attacker can use the IOCTL 0x22608C of "mdare*_*.sys", to read a memory fragment, in order to obtain sensitive information. [severity:1/4; CVE-2015-4077]

An attacker can use the IOCTL 0x226108 of "mdare*_*.sys", to generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-5735]

An attacker can use the IOCTL 0x220024/0x220028 of "Fortishield.sys", to change a callback, in order to run code. [severity:2/4; CVE-2015-5736]

An attacker can use the IOCTL 0x2220c8, to access to a privileged handle, in order to escalate his privileges. [severity:2/4; CVE-2015-5737]
Full Vigil@nce bulletin... (Free trial)

vulnerability note 20584

FortiClient: disclosure of VPN password

Synthesis of the vulnerability

A local attacker can dump the memory of FortiClient, in order to obtain the VPN password.
Impacted products: FortiClient.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user shell.
Creation date: 13/09/2016.
Identifiers: FG-IR-16-021, VIGILANCE-VUL-20584.

Description of the vulnerability

The FortiClient product can be used to connect to a VPN service, so it requests a password to access to the VPN.

However, this password is stored unencrypted in the memory.

A local attacker can therefore dump the memory of FortiClient, in order to obtain the VPN password.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-2542

Flexera InstallShield, JRSoft Inno Setup: code execution via DLL-planting

Synthesis of the vulnerability

An attacker can create a malicious DLL for Flexera InstallShield or JRSoft Inno Setup, in order to run code with administrator privileges.
Impacted products: NetWorker, FortiClient, DB2 UDB, Notes, Tivoli Storage Manager, WebSphere MQ, Notepad++, PuTTY, X2GoClient.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 09/05/2016.
Revisions dates: 02/06/2016, 06/07/2016.
Identifiers: 1610582, 1978168, 1978363, 1979808, 1980839, 1982467, 1982741, 1982809, 1983796, 1983797, 1983813, 1983814, 1983815, 1984184, 1984743, 1984863, 494999, CVE-2016-2542, ESA-2017-008, FG-IR-16-046, VIGILANCE-VUL-19558.

Description of the vulnerability

The products Flexera InstallShield and JRSoft Inno Setup are used to create installation program for software packages.

In some cases, the generated programs load extension modules the name and possible locations depend on the considered package. However, in some cases, the installer looks for these extension DLL in folders which are writeable by unprivileged users, while the installation program that loads and run this DLL is expected to be run by an administrator. A typical case of this is the download folder of a browser. One should note that these installers are expected to be run only a few times, so possibilities of exploit attempts are rare.

This bug has also been reported for other products in the bulletin VIGILANCE-VUL-18671.

An attacker can therefore create a malicious DLL for Flexera InstallShield or JRSoft Inno Setup, in order to run code with administrator privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-0723

Linux kernel: use after free via TIOCGETD

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via TIOCGETD on the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiOS, Android OS, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 19/01/2016.
Identifiers: CERTFR-2016-AVI-070, CERTFR-2016-AVI-073, CERTFR-2016-AVI-082, CERTFR-2016-AVI-099, CERTFR-2016-AVI-103, CERTFR-2016-AVI-110, CERTFR-2016-AVI-114, CERTFR-2016-AVI-159, CVE-2016-0723, DSA-3448-1, DSA-3503-1, FEDORA-2016-2f25d12c51, FEDORA-2016-5d43766e33, FG-IR-16-013, FG-IR-16-041, openSUSE-SU-2016:0537-1, openSUSE-SU-2016:1008-1, openSUSE-SU-2016:2649-1, SOL43650115, SUSE-SU-2016:0585-1, SUSE-SU-2016:0785-1, SUSE-SU-2016:0911-1, SUSE-SU-2016:1102-1, SUSE-SU-2016:1203-1, SUSE-SU-2016:1764-1, SUSE-SU-2016:2074-1, USN-2929-1, USN-2929-2, USN-2930-1, USN-2930-2, USN-2930-3, USN-2932-1, USN-2948-1, USN-2948-2, USN-2967-1, USN-2967-2, VIGILANCE-VUL-18750.

Description of the vulnerability

The TIOCGETD returns the "Line Discipline" of the tty terminal.

However, the function implementing this ioctl frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area via TIOCGETD on the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-3196

OpenSSL: use after free via PSK Identify Hint

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via PSK Identify Hint of an OpenSSL multi-threaded client, in order to trigger a denial of service, and possibly to run code.
Impacted products: FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Switch, AIX, IRAD, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, IVE OS, Juniper J-Series, Junos OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper SBR, McAfee Email Gateway, Data ONTAP, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, Pulse Connect Secure, MAG Series by Pulse Secure, Pulse Secure SBR, Puppet, RHEL, Slackware, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: internet server.
Creation date: 03/12/2015.
Identifiers: 1972951, 1976113, 1976148, 1981612, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2016, c05398322, CERTFR-2015-AVI-517, cisco-sa-20151204-openssl, cpuoct2017, CVE-2015-3196, DSA-3413-1, FEDORA-2015-d87d60b9a9, FreeBSD-SA-15:26.openssl, HPESBHF03709, JSA10759, NTAP-20151207-0001, openSUSE-SU-2015:2288-1, openSUSE-SU-2015:2289-1, RHSA-2015:2617-01, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, USN-2830-1, VIGILANCE-VUL-18437.

Description of the vulnerability

The OpenSSL library can be used by a multi-threaded client.

However, in this case, the SSL_CTX structure does not contain an updated PSK Identify Hint. OpenSSL can thus free twice the same memory area.

An attacker can therefore force the usage of a freed memory area via PSK Identify Hint of an OpenSSL multi-threaded client, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Fortinet FortiClient: