FortiClient SSLVPN Linux - Root privilege escalation with subproc
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-16-041
Final
1
1
2017-04-05T00:00:00
Current version
2017-04-05T00:00:00
2017-04-05T00:00:00
The first run of the FortiClient SSLVPN script results in the subproc file becoming suid & root owned binary. The issue lays in the lack of any check if this is the right file that the ownership and suid flag should be granted to. Replacement of this file with another appropriate file could result in its execution with root privilege.
Escalation of privilege
FortiClient SSLVPN for Linux available with FortiOS before versions 5.4.3 and below.
Upgrade to FortiClient SSLVPN Linux available with FortiOS version 5.4.4 or above.
Fortinet is pleased to thank Grzegorz Wrobel of STMSolutions for reporting this vulnerability under responsible disclosure.
SSL_VPN 5.2.9
SSL_VPN 5.2.8
SSL_VPN 5.2.7
SSL_VPN 5.2.5
SSL_VPN 5.2.4
SSL_VPN 5.2.3
SSL_VPN 5.2.2
SSL_VPN 5.2.1
SSL_VPN 5.0.9
SSL_VPN 5.0.5
SSL_VPN 5.0.4
SSL_VPN 5.0.3
SSL_VPN 5.0.2
SSL_VPN 5.0.1
SSL_VPN 5.0.0
SSL_VPN 4.3.12
SSL_VPN 4.3.11
SSL_VPN 4.3.10
SSL_VPN 4.3.8
SSL_VPN 4.3.3
SSL_VPN 4.3.0
SSL_VPN 4.2.9
SSL_VPN 4.2.2
SSL_VPN 4.2.0
SSL_VPN 4.1.1
SSL_VPN 4.1.0
SSL_VPN 4.0.2
SSL_VPN 4.0.0
SSL_VPN 3.0.0
FortiClient SSLVPN Linux - Root privilege escalation with subproc
CVE-2016-8497
SSL_VPN-5.2.9
SSL_VPN-5.2.8
SSL_VPN-5.2.7
SSL_VPN-5.2.5
SSL_VPN-5.2.4
SSL_VPN-5.2.3
SSL_VPN-5.2.2
SSL_VPN-5.2.1
SSL_VPN-5.0.9
SSL_VPN-5.0.5
SSL_VPN-5.0.4
SSL_VPN-5.0.3
SSL_VPN-5.0.2
SSL_VPN-5.0.1
SSL_VPN-5.0.0
SSL_VPN-4.3.12
SSL_VPN-4.3.11
SSL_VPN-4.3.10
SSL_VPN-4.3.8
SSL_VPN-4.3.3
SSL_VPN-4.3.0
SSL_VPN-4.2.9
SSL_VPN-4.2.2
SSL_VPN-4.2.0
SSL_VPN-4.1.1
SSL_VPN-4.1.0
SSL_VPN-4.0.2
SSL_VPN-4.0.0
SSL_VPN-3.0.0
0
https://fortiguard.fortinet.com/psirt/FG-IR-16-041
FortiClient SSLVPN Linux - Root privilege escalation with subproc
Reference>