Two New Zero-Day Vulnerabilities Uncovered in FortiClient VPN

Introduction

Our latest research from Pentera Labs uncovers high-severity Fortinet vulnerability CVE-2024-47574, exposing risks in FortiClient’s use of Windows Named Pipes. Improper access control in FortiClient could allow attackers to escalate privileges, tamper with configurations, and access sensitive data.

The discovery began with PipeViewer, an open-source tool described as “a GUI tool for viewing Windows Named Pipes and searching for insecure permissions.” This piqued the interest of one of our security researchers, ultimately leading to these findings.

Named pipes in Windows is a widely used technique for inter-process communication. They’re like the small opening in a bank teller window. You and the teller stand face to face, passing items or information through this small hole. Some operations, like asking for exchange rates, can be done by anyone. However, other operations, like withdrawing money from a specific bank account, require special privileges.

In a secure system, you wouldn’t want anyone else to be able to take part in this exchange. For example, what if someone else was able to add their own request to transfer money from your account to their account, and the teller acted as though you asked for it? In other words, that right there is what we managed to do with CVE-2024-47574 and a second vulnerability, which will be published by Fortinet in their next advisory update.

In this Pentera Labs research, we took a look at the way FortiClient VPN uses named pipes in Windows to communicate with other Fortinet-related services. This led to the discovery of two vulnerabilities that allowed us to access the APIs of privileged Fortinet services and achieve Local Privilege Escalation (LPE). Additionally, we share insights into secure design approaches for multi-service software.

Who should read this?

• Security researchers and red teamers – Engage in the exploration of novel attack and research techniques.
• Defense teams and blue teamers – Ensure you can swiftly mitigate potential threats, validate your defenses against the vulnerabilities, and maintain robust security postures across the attack surfaces​​​​​​​​.
• CISOs – Stay informed about emerging threats and understand the potential risks to your organization.
• Software engineers – Understand the importance of secure software design, ensuring that your own coding practices will prevent similar vulnerabilities.

Sign up for our live session on December 3 for an in-depth walkthrough of this research.

Summary: Piping hot Fortinet vulnerabilities

Pentera researchers discovered the following two vulnerabilities in Fortinet’s FortiClient:

• CVE-2024-47574 – An improper access control vulnerability in FortiClient allows an authenticated low-privileged threat actor direct access to tamper with the service configuration, alter some registry keys of the service and delete sensitive log files.
• CVE 2 – Threat actors can gain access to a plain text encryption key that is saved as part of the FortiClient services executable files. Accessing this results in the decryption of sensitive information. This vulnerability was responsibly disclosed by Pentera and patched by Fortinet in the latest FortiClient version release 7.4.1. A CVE number has been assigned and the advisory will be released shortly.

Does it apply to my organization?

If your organization uses FortiClient version 7.2.4.0972 or earlier, you may be affected by Fortinet vulnerabilities CVE-2024-47574.

Impact of Fortinet Vulnerabilities CVE-2024-47574

Hackers might use these vulnerabilities to elevate their privileges on an affected Windows machine. This could allow them to gain SYSTEM privileges, access to clear text credentials, changing Fortinet registry values and access sensitive information on the system.

Mitigations for Fortinet Vulnerabilities CVE-2024-47574

In case you are using FortiClient version 7.2.4.0972 or an older version, we would strongly suggest you:

• Update to the new FortiClient version – see here
• Make sure to use an EDR to block code-injection attempts
• Monitor access to sensitive files by FCConfig.exe

Read the full research article detailing both vulnerabilities here and sign up for a live 30-minute online session on December 3 at 11:00 AM Eastern Time, where the researcher who discovered them, Nir Chako, will walk through the story of how these vulnerabilities were uncovered.

For more information, reach out to us at [email protected].