Fortinet’s has patched vulnerability in FortiClient VPN application potentially allows privilege escalation, execute code and possibly take over the box, and delete log files.
The vulnerability is tracked as CVE-2024-47574, witj a CVSS score of 7.8, which affects FortiClientWindows version 7.4.0, 7.2.4 through 7.2.0, 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0.
The exploitation of the flaw involves using Windows named pipes with the FortiClient software to ultimately plant a script so that when a higher-privileged user next uses the VPN, that script is run with their privileges, and thus code execution is achieved with unauthorized powers. This privilege-escalation technique involves a step known as process hollowing.
The second vulnerability tracked as CVE-2024-50564 and CVSS score not assigned yet. However, it has also been fixed in the latest version, FortiClient 7.4.1.
Exploiting CVE-2024-50564 involves using a hard-coded local API encryption key that components of Fortinet’s software use to exchange commands and data between themselves;
CVE-2024-47574 could be abused to delete log files and make a user connect to an attacker-controlled server and when combined with the second vulnerability, CVE-2024-50564, a miscreant would be able to edit SYSTEM level registry values within the HKLM registry hive.
Neither flaw appears to have been exploited in the wild. Organizations are urged to install the relevant patches to remediate the vulnerabilities.
