Fortinet Patches VPN Flaw That Provided Privilege Escalation

A now-patched, high-severity bug in Fortinet’s FortiClient VPN application potentially allows a low-privilege rogue user or malware on a vulnerable Windows system to gain higher privileges from another user, execute code and possibly take over the box, and delete log files.

The bug is tracked as CVE-2024-47574, and it earned a 7.8 out of 10 CVSS severity rating. It affects FortiClientWindows version 7.4.0, 7.2.4 through 7.2.0, 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0. Fortinet patched the hole on Tuesday, so if you haven’t already, upgrade to a fixed release.

Pentera Labs’ bug hunter Nir Chako found and reported the flaw to Fortinet, plus a second security oversight that allows someone or something nefarious on a system running the VPN client to alter SYSTEM-level registry keys that would otherwise be off limits.

According to Chako, this latter flaw has been assigned CVE-2024-50564, though the vendor has not yet issued a security alert about it. However, it has also been fixed in the latest version, FortiClient 7.4.1. 

“They said it will be published in the next advisory update,” Chako told The Register, adding that advisory is slated for release on the December 10 Patch Tuesday. “From a security perspective, after testing version 7.4.1, we were able to validate that the patch prevented us from executing the techniques.”

Neither flaw appears to have been exploited in the wild. Fortinet did not immediately respond to The Register‘s inquiries. We will update this story if and when we hear back from the vendor.

As Chako explains in this detailed technical write-up, exploiting CVE-2024-47574 involves using Windows named pipes with the FortiClient software to ultimately plant a script so that when a higher-privileged user next uses the VPN, that script is run with their privileges, and thus code execution is achieved with unauthorized powers. This privilege-escalation technique involves a step know as process hollowing.

This could also be abused to delete log files, and make a user connect to an attacker-controlled server. Plus, when combined with the second vulnerability, CVE-2024-50564, a miscreant would be “able to edit SYSTEM level registry values within the HKLM registry hive,” Chako said.

Exploiting CVE-2024-50564 involves using a hard-coded local API encryption key that components of Fortinet’s software use to exchange commands and data between themselves; it’s not a VPN secret. ®

READ MORE HERE