Our latest research from Pentera Labs uncovers high-severity Fortinet vulnerability CVE-2024-47574, exposing risks in FortiClient’s use of Windows Named Pipes. Improper access control in FortiClient could allow attackers to escalate privileges, tamper with configurations, and access sensitive data.
The discovery began with PipeViewer, an open-source tool described as “a GUI tool for viewing Windows Named Pipes and searching for insecure permissions.” This piqued the interest of one of our security researchers, ultimately leading to these findings.
Named pipes in Windows is a widely used technique for inter-process communication. They’re like the small opening in a bank teller window. You and the teller stand face to face, passing items or information through this small hole. Some operations, like asking for exchange rates, can be done by anyone. However, other operations, like withdrawing money from a specific bank account, require special privileges.
In a secure system, you wouldn’t want anyone else to be able to take part in this exchange. For example, what if someone else was able to add their own request to transfer money from your account to their account, and the teller acted as though you asked for it? In other words, that right there is what we managed to do with CVE-2024-47574 and a second vulnerability, which will be published by Fortinet in their next advisory update.
In this Pentera Labs research, we took a look at the way FortiClient VPN uses named pipes in Windows to communicate with other Fortinet-related services. This led to the discovery of two vulnerabilities that allowed us to access the APIs of privileged Fortinet services and achieve Local Privilege Escalation (LPE). Additionally, we share insights into secure design approaches for multi-service software.
Watch our 30-minute walkthrough of this research.
Pentera researchers discovered the following two vulnerabilities in Fortinet’s FortiClient:
If your organization uses FortiClient version 7.2.4.0972 or earlier, you may be affected by Fortinet vulnerabilities CVE-2024-47574.
Hackers might use these vulnerabilities to elevate their privileges on an affected Windows machine. This could allow them to gain SYSTEM privileges, access to clear text credentials, changing Fortinet registry values and access sensitive information on the system.
In case you are using FortiClient version 7.2.4.0972 or an older version, we would strongly suggest you:
Read the full research article detailing both vulnerabilities.
Watch Pentera security researcher, Nir Chako, walk through his journey to uncover these vulnerabilities.
For more information, reach out to us at [email protected].
Begin your journey in security validation and see why leading companies trust us with their cybersecurity validation.