PSIRT Advisory

FortiClient SSLVPN Linux client local privilege escalation vulnerability


Installing Forticlient SSLVPN Linux client build 2312 and lower in a home directory that is world readable-executable yields a privilege escalation vulnerability: Any local user can then exploit the helper/subroc setuid binary to run arbitrary code with root privileges.


Privilege Escalation

Affected Products

Standalone Forticlient SSLVPN Linux client build 2312 and lower.


Upgrade to FortiClient Linux SSLVPN version 2313 or above.
Actual Exploitability varies with host systems: Ubuntu and Debian are known to set world readable-executable epermissions on home directories by default, while Fedora (and most other Linux distribution) do not.
In the following example, user notvulnerable is not affected, while user iamvuln could be affected:
ls -l /home
total 28
drwx------. 3 notvulnerable notvulnerable 4096 Jul 21 14:26 notvulnerable
drwx---r-x. 6 iamvuln iamvuln 4096 Jul 21 14:26 iamvuln
A workaround is to apply chmod 700 to the user's home directory who installed the Linux FortiClient SSLVPN.


Thanks to Brian Vincent.