FortiClient 6.4.1.1519

Recurring Questions and Security Issues Regarding FortiClient

❓ What is CVE-2024-50570, and how does it impact FortiClient users?

Answer:
CVE-2024-50570 is an information disclosure vulnerability impacting FortiClient versions on Windows and Linux. This flaw allows local authenticated users to retrieve VPN passwords through memory dumps, primarily due to improper handling of sensitive information by JavaScript's garbage collector. Attackers with local system access could exploit this vulnerability to gain unauthorized access to sensitive VPN credentials. Fortinet has acknowledged the vulnerability and recommends users upgrade to the latest FortiClient release to mitigate this security risk.

Source

❓ How does CVE-2024-47574 allow privilege escalation in FortiClient?

Answer:
CVE-2024-47574 is a significant vulnerability in FortiClient for Windows, allowing privilege escalation through exploitation of Windows named pipes. A low-privileged authenticated user can inject scripts executed by the FortiClient service running with higher privileges. This flaw enables attackers to alter registry keys, modify service configurations, or remove log files, resulting in unauthorized code execution at higher privilege levels. Fortinet addressed this issue through security patches, and users are strongly advised to apply updates promptly.

Sources, Pentera

❓ What is CVE-2023-41840, and what are its implications for FortiClient users?

Answer:
CVE-2023-41840 is a DLL hijacking vulnerability within FortiClient’s OpenSSL component on Windows systems. This vulnerability stems from an untrusted search path issue, allowing attackers to execute arbitrary code by placing malicious DLL files in certain directories. The flaw poses a serious security risk, as it allows attackers to compromise system integrity, potentially gaining unauthorized control of the affected machine. Fortinet has released security updates to fix this vulnerability, and updating FortiClient installations is strongly recommended.

Source

❓ How did attackers maintain access to Fortinet devices even after patches were applied?

Answer:
Attackers have successfully retained read-only access to thousands of Fortinet VPN devices despite patches being applied. This persistent compromise was primarily due to attackers leveraging previously exploited vulnerabilities to maintain ongoing visibility into sensitive data. Such breaches highlight the necessity of holistic security approaches beyond just patching, including regular security audits, ongoing monitoring for indicators of compromise, implementing strict access control measures, and proactive response strategies.

Source

❓ What steps has Fortinet taken to address these vulnerabilities?

Answer:
Fortinet has proactively responded to these vulnerabilities by issuing security patches and detailed guidance. Recommended protective measures include:

1. Immediately updating FortiClient to the latest secure version.
2. Restricting access to management interfaces, ensuring they are not publicly accessible.
3. Regularly auditing system logs to detect unusual activity or indications of compromise.
4. Implementing Multi-Factor Authentication (MFA) for all administrative and sensitive accounts.

These actions significantly reduce the security risks posed by identified vulnerabilities and enhance overall resilience against cyber threats.

Source