FortiClient SSLVPN Linux - Root privilege escalation with subproc
The first run of the FortiClient SSLVPN script results in the subproc file becoming suid & root owned binary. The issue lays in the lack of any check if this is the right file that the ownership and suid flag should be granted to. Replacement of this file with another appropriate file could result in its execution with root privilege.
Escalation of privilege
FortiClient SSLVPN for Linux available with FortiOS before versions 5.4.3 and below.
Upgrade to FortiClient SSLVPN Linux available with FortiOS version 5.4.4 or above.
Fortinet is pleased to thank Grzegorz Wrobel of STMSolutions for reporting this vulnerability under responsible disclosure.