CVE-2020-9290 in FortiClient
Summary
by MITRE
An Unsafe Search Path vulnerability in FortiClient for Windows online installer 6.2.3 and below may allow a local attacker with control over the directory in which FortiClientOnlineInstaller.exe and FortiClientVPNOnlineInstaller.exe resides to execute arbitrary code on the system via uploading malicious Filter Library DLL files in that directory.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2020
The vulnerability identified as CVE-2020-9290 represents a critical unsafe search path issue within FortiClient for Windows online installer versions 6.2.3 and earlier. This flaw manifests when the installer executable FortiClientOnlineInstaller.exe or FortiClientVPNOnlineInstaller.exe operates in a directory controlled by an attacker, creating a pathway for privilege escalation through malicious DLL injection. The vulnerability stems from the installer's improper handling of dynamic link library loading mechanisms, where it searches for required components in the current working directory before examining system paths, thereby enabling attackers to place malicious Filter Library DLL files that will be executed with elevated privileges.
The technical exploitation of this vulnerability involves an attacker placing a specially crafted DLL file named Filter Library in the same directory as the vulnerable installer executable. When the installer runs and attempts to load its required libraries, it will first locate and execute the attacker-controlled DLL instead of the legitimate system components. This behavior directly maps to CWE-427 Uncontrolled Search Path, which specifically addresses the risk of attackers manipulating the order of library resolution through improper search path handling. The vulnerability operates under the principle that applications should not trust the current working directory as a safe location for loading dynamic libraries without proper validation.
From an operational perspective, this vulnerability presents a significant risk to enterprise environments where FortiClient is deployed, as it allows local attackers to execute arbitrary code with the privileges of the installer process. The impact extends beyond simple code execution to potential system compromise, privilege escalation, and data exfiltration. Attackers can leverage this vulnerability to establish persistent access, deploy additional malware, or manipulate the FortiClient installation process to create backdoors. The attack vector is particularly concerning because it requires minimal privileges to exploit, as the attacker only needs write access to the directory containing the installer, which is often accessible to regular users in many enterprise environments.
The security implications of CVE-2020-9290 align with several ATT&CK techniques including T1059 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation. Organizations running affected versions of FortiClient are particularly vulnerable to attacks that exploit this weakness, as the vulnerability can be triggered through simple directory manipulation. The risk is amplified by the fact that FortiClient installations often occur in user-accessible directories, making it easier for attackers to position malicious DLL files. Mitigation strategies should include immediate patching to versions 6.2.4 and later, implementing strict directory permissions, and employing application whitelisting controls to prevent execution of unauthorized DLL files. Additionally, security monitoring should focus on detecting unusual file creation patterns in directories containing installer executables, as this behavior may indicate exploitation attempts.
Organizations should also consider implementing the principle of least privilege for installer execution, ensuring that installation processes run with minimal required permissions. The vulnerability demonstrates the importance of proper library loading practices and highlights the need for security awareness in application development. Regular security assessments of third-party software installation processes should be conducted to identify similar unsafe search path implementations. Network segmentation and endpoint detection and response solutions can help detect potential exploitation attempts, while system hardening measures such as disabling unnecessary user write permissions to installation directories provide additional defense layers. The vulnerability serves as a reminder of the critical importance of secure coding practices and proper privilege management in software development lifecycle processes.