PSIRT Advisory

FortiClient installer DLL Hijacking Vulnerability

Summary

Multiple unsafe search path vulnerabilities in FortiClient online installers may allow an attacker with control over the directory in which the installers reside to execute arbitrary code on the system via uploading malicious .dll files in that directory.

Impact

Unauthorized code execution.

Affected Products

FortiClientOnlineInstaller.exe for FortiClient for Windows 6.0.5 and below (CVE-2019-5589)

FortiClientOnlineInstaller.exe for FortiClient for Windows 6.2.3 and below (CVE-2020-9290)

FortiClientVPNOnlineInstaller.exe for FortiClient VPN for Windows  6.2.3 and below (CVE-2020-9290)

FortiClientEMSOnlineInstaller.exe for FortiClient EMS 6.2.1 and below (CVE-2020-9287)

Solutions

CVE-2019-5589: Use FortiClient for Windows online installer 6.0.6 or above

CVE-2020-9290: Use FortiClient for Windows online installer 6.2.4 or above, and FortiClient VPN for Windows online installer 6.2.4 or above

CVE-2020-9287: Use FortiClient EMS online installer 6.2.2 or above

Revision History:

05-16-2019 Initial version
03-09-2020 add CVE-2020-9290 and CVE-2020-9287

Acknowledgement

Fortinet is pleased to thank Independent security researcher Honc (honcbb@gmail.com) for reporting CVE-2019-5589 and CVE-2020-9290, Houjingyi (houjingyi647@gmail.com) for reporting CVE-2020-9290 and CVE-2020-9287, security researcher Eran Shimony from CyberArk Labs for reporting CVE-2020-9290 under responsible disclosures.