Privilege escalation and DoS in FortiClient for Linux through local IPC socket

Summary

A privilege escalation vulnerability in FortiClient for Linux may allow a user with low privilege to run root system commands, overwrite system files or cause FortiClient processes to crash via injecting specially crafted client requests in the IPC socket of the FortiClient process.

The following four CVE identifiers were assigned to these vulnerabilities based on different attack vectors:

CVE-2019-15711 - System command injection through IPC socket by export logs

CVE-2019-16152 - DoS through IPC socket by malformat nanomsg

CVE-2019-16155 - Privilege escalation through IPC socket or GUI by backup file

CVE-2019-17652 - DoS through IPC socket by argv through nanomsg

Affected Products

CVE-2019-15711 - FortiClient for Linux 6.2.1 and below
CVE-2019-16152 - FortiClient for Linux 6.2.1 and below
CVE-2019-16155 - FortiClient for Linux 6.2.1 and below (IPC socket)
CVE-2019-16155 - FortiClient for Linux 6.2.2 and below (GUI)
CVE-2019-17652 - FortiClient for Linux 6.2.1 and below

Solutions

CVE-2019-15711 - Upgrade to FortiClient for Linux 6.2.2 CVE-2019-16152 - Upgrade to FortiClient for Linux 6.2.2 CVE-2019-16155 - Upgrade to FortiClient for Linux 6.2.2 (IPC socket) CVE-2019-16155 - Upgrade to FortiClient for Linux 6.2.3 (GUI) CVE-2019-17652 - Upgrade to FortiClient for Linux 6.2.2 Fortinet is not aware of any public code attempting to exploit these vulnerabilities. Revision History: 2019-11-05 Initial version 2020-01-27 CVE-2019-16155 through GUI addressed in 6.2.3

Acknowledgement

Fortinet is pleased to thank “Cees Elzinga from Danish Cyber Defence” for reporting this vulnerability under responsible disclosure.