NSS AEP: FortiClient Service or Process Tampering Disclosure Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-19-148 Final 1 1 2019-10-18T00:00:00 Current version 2019-10-18T00:00:00 2019-10-18T00:00:00 FortiClient for Windows could be subject to the following shut down or tampering attempts:a) User Interface or Command Line shut downBy default a privileged user can close the FortiClient for Windows program b) Service or Process shut downMalicious privileged programs can stop the FortiClient for Windows process via the taskkill commandc) Uninstall By default a privileged user can unintall the FortiClient for Windows program d) Code InjectionA component of FortiClient for Windows will search for a specific un-existing Windows Dynamic Link library when starting. A malicious and privileged program can forge that DLL, leading to arbitrary code execution. Execute unauthorized code or commands a) User Interface or Command Line shut downFortiClient for Windows all versions under default configurations.b) Service or Process shut downFortiClient for Windows 6.2.1 and below versions.c) Uninstall FortiClient for Windows all versions under default configurations.d) Code Injection FortiClient for Windows 6.2.0 and below versions.All of the above require the malicious program or attacker to have the same or higher level of privilege as FortiClient. a) User Interface or Command Line TamperingFortiClient for Windows supports disabling program-closing under both managed mode and standalone mode:o Managed mode: Enable the "Disable Unregister" setting in FortiClient EMSo Standalone mode: Enablethe "Lock Settings" setting in FortiClient consoleb) Service or Process shut downUpgrade to FortiClient for Windows 6.2.2c) Uninstall FortiClient for Windows supports disabling program uninstall under both managed mode and standalone mode:o Managed mode: Enable the "Disable Unregister" setting in FortiClient EMSo Standalone mode: Enable the "Lock Settings" setting in FortiClient consoled) Code Injection Upgrade to FortiClient for Windows 6.2.1Revision History:2019-07-25 Initial release2019-10-17 FortiClient for Windows 6.2.2 released to address issue b) https://fortiguard.fortinet.com/psirt/FG-IR-19-148 NSS AEP: FortiClient Service or Process Tampering Disclosure https://www.nsslabs.com/blog-posts/2019/7/24/your-advanced-endpoint-protection-aep-product-protects-your-computer-but-can-it-protect-itself https://www.nsslabs.com/blog-posts/2019/7/24/your-advanced-endpoint-protection-aep-product-protects-your-computer-but-can-it-protect-itself Fortinet is pleased to thank Edsel Valle - security researcher from NSS Labs for reporting this vulnerability under responsible disclosure. CVE-2019-6692 6.2 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-19-148 NSS AEP: FortiClient Service or Process Tampering Disclosure Reference> https://www.nsslabs.com/blog-posts/2019/7/24/your-advanced-endpoint-protection-aep-product-protects-your-computer-but-can-it-protect-itself https://www.nsslabs.com/blog-posts/2019/7/24/your-advanced-endpoint-protection-aep-product-protects-your-computer-but-can-it-protect-itself