FortiClient SSLVPN Linux - Root privilege escalation with subproc

Summary

The first run of the FortiClient SSLVPN script results in the subproc file becoming  suid & root owned binary. The issue lays in the lack of any check if this is the right file that the ownership and suid flag should be granted to. Replacement of this file with another appropriate file could result in its execution with root privilege.

Affected Products

FortiClient SSLVPN for Linux available with FortiOS before versions 5.4.3 and below.

Solutions

Upgrade to FortiClient SSLVPN Linux available with FortiOS version 5.4.4 or above.

Acknowledgement

Fortinet is pleased to thank Grzegorz Wrobel of STMSolutions for reporting this vulnerability under responsible disclosure.