The first launch of FortiClient SSLVPN Linux creates a log file without any prior check. By previously creating a symbolic or hard link with the name of the log file to any file in the filesystem, an attacker may smash the latter existing file. This is due to the fact that the first launch of FortiClient SSLVPN Linux will then add log content to the said file.
Affected ProductsFortiClient SSLVPN for Linux available with FortiOS before versions 5.4.2 and below.
SolutionsUpgrade to FortiClient SSLVPN Linux available with FortiOS version 5.4.3 or above.
Fortinet is pleased to thank Grzegorz Wrobel of STMSolutions for reporting this vulnerability under responsible disclosure.