PSIRT Advisory

Gain Windows privileges with FortiClient vpn before logon and untrusted certificate

Summary

When the "VPN before logon" feature of FortiClient Windows is enabled (disabled by default), and when the server certificate is not valid, it is possible for an attacker without a user account on the targeted Windows workstation to obtain SYSTEM level privileges, via exploiting the Windows "security alert" dialog thereby popping up.
This may be achieved locally or remotely (for instance through RDP, if the logon screen is exposed).

Impact

Escalation of privilege

Affected Products

FortiClient Windows 5.6.0
FortiClient Windows 5.4.3 and earlier

Solutions

Upgrade to FortiClient Windows 5.4.4 or 5.6.1

Acknowledgement

Fortinet is pleased to thank Clement NOTIN of INTRINSEC for reporting this vulnerability under responsible disclosure.