PSIRT Advisory

FortiClient SSLVPN Linux - Arbitrary write to log file

Summary

The first launch of FortiClient SSLVPN Linux creates a log file without any prior check. By previously creating a symbolic or hard link with the name of the log file to any file in the filesystem, an attacker may smash the latter existing file. This is due to the fact that the first launch of FortiClient SSLVPN Linux will then add log content to the said file.

Impact

Potential execution of unauthorized code or commands

Affected Products

FortiClient SSLVPN for Linux available with FortiOS before versions 5.4.2 and below.

Solutions

Upgrade to FortiClient SSLVPN Linux available with FortiOS version 5.4.3 or above.

Acknowledgement

Fortinet is pleased to thank Grzegorz Wrobel of STMSolutions for reporting this vulnerability under responsible disclosure.