Update functionality may lead to privilege escalation vulnerability

Summary

A download of code without Integrity check vulnerability [CWE-494] in FortiClientMac may allow a local attacker to escalate their privileges via modifying the installer upon upgrade.

Affected Products

FortiClientMac version 7.0.0 through 7.0.7
FortiClientMac version 6.4 all versions
FortiClientMac version 6.2 all versions
FortiClientMac version 6.0 all versions

Solutions

Please upgrade to FortiClientMac version 7.0.8 or above.
Please upgrade to FortiClientMac version 7.2.0 or above.

Acknowledgement

Internally discovered and reported by Eric Hu of Fortinet Software Development team.

Timeline

2023-04-03: Initial publication