FortiClient (Windows) / FortiConverter (Windows) - Insecure Installation Folder

Summary

An incorrect default permissions [CWE-276] vulnerability in FortiClient (Windows) and FortiConverter (Windows) may allow a local authenticated attacker to tamper with files in the installation folder, if FortiClient or FortiConvreter is installed in an insecure folder.

Affected Products

FortiClientWindows version 7.0.0 through 7.0.6
FortiClientWindows version 6.4.0 through 6.4.8
FortiConverter version 7.0.0
FortiConverter 6.2 all versions
FortiConverter 6.0 all versions

Solutions

Please upgrade to FortiClientWindows version 7.0.7 or above
Please upgrade to FortiClientWindows version 6.4.9 or above

Please upgrade to FortiConverter version 7.0.1 or above
Please upgrade to FortiConverter version 6.2.2 or above

 

Acknowledgement

Fortinet is pleased to thank Konrad Haase from Control Gap for reporting this vulnerability under responsible disclosure.

Timeline

2023-05-23: Initial publication