FortiClient SSLVPN Linux - Root privilege escalation with subproc


The first run of the FortiClient SSLVPN script results in the subproc file becoming  suid & root owned binary. The issue lays in the lack of any check if this is the right file that the ownership and suid flag should be granted to. Replacement of this file with another appropriate file could result in its execution with root privilege.

Affected Products

FortiClient SSLVPN for Linux available with FortiOS before versions 5.4.3 and below.


Upgrade to FortiClient SSLVPN Linux available with FortiOS version 5.4.4 or above.


Fortinet is pleased to thank Grzegorz Wrobel of STMSolutions for reporting this vulnerability under responsible disclosure.