Fortiguard

Gain Windows privileges with FortiClient vpn before logon and untrusted certificate

Summary

When the "VPN before logon" feature of FortiClient Windows is enabled (disabled by default), and when the server certificate is not valid, it is possible for an attacker without a user account on the targeted Windows workstation to obtain SYSTEM level privileges, via exploiting the Windows "security alert" dialog thereby popping up.
This may be achieved locally or remotely (for instance through RDP, if the logon screen is exposed).

Affected Products

FortiClient Windows 5.6.0
FortiClient Windows 5.4.3 and earlier

Solutions

Upgrade to FortiClient Windows 5.4.4 or 5.6.1

Acknowledgement

Fortinet is pleased to thank Clement NOTIN of INTRINSEC for reporting this vulnerability under responsible disclosure.

References

https://securite.intrinsec.com/2017/12/22/cve-2017-7344-fortinet-forticlient-windows-privilege-escalation-at-logon/

IR Number	FG-IR-17-070
Date	Dec 13, 2017
Severity	High
Impact	Escalation of privilege
CVE ID	CVE-2017-7344
CVRF	Download

Network

Files and Endpoint

Application

Additional SOC Services

PSIRT Advisories

Gain Windows privileges with FortiClient vpn before logon and untrusted certificate

Summary

Affected Products

Solutions

Acknowledgement

References

News / Research

Network

Files and Endpoint

Application

Additional SOC Services

FortiGate

FortiDeceptor

FortiClient

FortiMail

FortiEDR

FortiADC

FortiAnalyzer

FortiCWP

FortiWeb

FortiNDR

FortiSandBox

FortiTester

Threat Lookup

PSIRT

Resources

PSIRT Advisories

Gain Windows privileges with FortiClient vpn before logon and untrusted certificate

Summary

Affected Products

Solutions

Acknowledgement

References