-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.4350.2
           Privilege escalation and DoS in FortiClient for Linux
                         through local IPC socket
                              30 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Fortinet FortiClient
Publisher:         FortiGuard
Operating System:  Linux variants
Impact/Access:     Root Compromise   -- Existing Account
                   Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-17652 CVE-2019-16155 CVE-2019-16152
                   CVE-2019-15711  

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-19-238

Revision History:  January  30 2020: Vendor updated advisory 'CVE-2019-16155 through GUI addressed in 6.2.3'
                   November 18 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Privilege escalation and DoS in FortiClient for Linux through local IPC socket

IR Number : FG-IR-19-238

Date      : Nov 15, 2019

Risk      : 3/5

Impact    : Privilege Escalation, System Command Injection, Denial of Service

CVE ID    : CVE-2019-15711, CVE-2019-16152, CVE-2019-16155, CVE-2019-17652

CVE ID    : CVE-2019-15711, CVE-2019-16152, CVE-2019-16155, CVE-2019-17652

Summary

A privilege escalation vulnerability in FortiClient for Linux may allow a user
with low privilege to run root system commands, overwrite system files or cause
FortiClient processes to crash via injecting specially crafted client requests
in the IPC socket of the FortiClient process.


The following four CVE identifiers were assigned to these vulnerabilities based
on different attack vectors:


CVE-2019-15711 - System command injection through IPC socket by export logs

CVE-2019-16152 - DoS through IPC socket by malformat nanomsg

CVE-2019-16155 - Privilege escalation through IPC socket or GUI by backup file

CVE-2019-17652 - DoS through IPC socket by argv through nanomsg

Impact

Privilege Escalation, System Command Injection, Denial of Service

Affected Products

CVE-2019-15711 - FortiClient for Linux 6.2.1 and below

CVE-2019-16152 - FortiClient for Linux 6.2.1 and below

CVE-2019-16155 - FortiClient for Linux 6.2.1 and below (IPC socket)

CVE-2019-16155 - FortiClient for Linux 6.2.2 and below (GUI)

CVE-2019-17652 - FortiClient for Linux 6.2.1 and below

Solutions

CVE-2019-15711 - Upgrade to FortiClient for Linux 6.2.2

CVE-2019-16152 - Upgrade to FortiClient for Linux 6.2.2

CVE-2019-16155 - Upgrade to FortiClient for Linux 6.2.2 (IPC socket)

CVE-2019-16155 - Upgrade to FortiClient for Linux 6.2.3 (GUI)

CVE-2019-17652 - Upgrade to FortiClient for Linux 6.2.2


Fortinet is not aware of any public code attempting to exploit these
vulnerabilities.


Revision History:
2019-11-05 Initial version
2020-01-27 CVE-2019-16155 through GUI addressed in 6.2.3

Acknowledgement

Fortinet is pleased to thank "Cees Elzinga from Langkjaer Cyber Defence" for
reporting this vulnerability under responsible disclosure.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjIoQGaOgq3Tt24GAQiY1xAAvwN4Y+5mXk/g3eUITj2xVEt2eMUEm93+
75IklMGP2v3K1pkgGEbPB/Zs7a1Lzz1ZMOGR1wlLeN+LU5Z9DzUx7GdNCYqn+iZL
52cTWJymvdqA8Y/rIBrJVOGDZbl+vdw77e7/3RIWpP5GgJYykTBCYf2cvS4VEhG7
bCdFkhNYXivF04onfFv5XHEbBxEwZidirooiaN5PpfU9D4/S4Lnd2AJFxns8ZM7m
h253VOLeTTZNcpsGUU4Kec6Y9/E0z5JefQxmf1eqnpify0FSEkelIynLDSVUYKoV
jGqIipOeIkjfGZ1arbZhB3pEahMIT36D8PJJecD+KPkpa/4NlsUjrjLBTn5ukJsR
p2WDdhusyrv/gsluTeaoZjUQSpO8I0P5JCDOcPGxCc9683jjQ7pOMukawlNVuwOY
8/JDQh5zuqBt0t6RxwPxAwRmay84fEBEWUxZ7NH5xVV+oilu4nUym/R/Ixu2Zs9l
i9Z75ipbZipt6647l3xNNBqQdk49ZZoPAD0TBxxzVpv1r47UMSrlrv6MvKmT28qo
/ZZR73eTuGg1J/ZLuroJY5zbiDjdjzdGDNSheOuiZB23SR/0K5+oI4Lw3mp6Rxwp
RDAR3H8kWleG2MV23t1Lj4ouJ4Ei8Z1QMO2vo0mmN8rltQpNQfv23Ig/TUNYcPsm
Z7KG4C34cAs=
=fBzh
-----END PGP SIGNATURE-----