Gain Windows privileges with FortiClient vpn before logon and untrusted certificate
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-17-070
Final
1
1
2017-12-13T00:00:00
Current version
2017-12-13T00:00:00
2017-12-13T00:00:00
When the "VPN before logon" feature of FortiClient Windows is enabled (disabled by default), and when the server certificate is not valid, it is possible for an attacker without a user account on the targeted Windows workstation to obtain SYSTEM level privileges, via exploiting the Windows "security alert" dialog thereby popping up. This may be achieved locally or remotely (for instance through RDP, if the logon screen is exposed).
Escalation of privilege
FortiClient Windows 5.6.0 FortiClient Windows 5.4.3 and earlier
The remediation of the vulnerability is possible using three different solutions: * Configure The VPN server (FortiGate) to serve a valid SSL certificate chain or * The VPN user has configured the "Do Not Warn Invalid Server Certificate" option in FortiClient or * Upgrade to FortiClient Windows 5.4.4 or 5.6.1
Fortinet is pleased to thank Clement NOTIN of INTRINSEC for reporting this vulnerability under responsible disclosure.
FortiClientWindows 5.6.0
FortiClientWindows 5.4.3
FortiClientWindows 5.4.2
FortiClientWindows 5.4.1
FortiClientWindows 5.4.0
Gain Windows privileges with FortiClient vpn before logon and untrusted certificate
CVE-2017-7344
FortiClientWindows-5.6.0
FortiClientWindows-5.4.3
FortiClientWindows-5.4.2
FortiClientWindows-5.4.1
FortiClientWindows-5.4.0
6.1
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-17-070
Gain Windows privileges with FortiClient vpn before logon and untrusted certificate
Reference>