Fortinet Fixes Antivirus Vulnerability

Tuesday, September 8, 2015 @ 05:09 PM gHale

Fortinet fixed a privilege escalation bug in its FortiClient product that could allow an attacker to gain system-level privileges.

Core Security researchers found the vulnerability which affected all antivirus versions starting with 5.2.3 and lower. The product is an antivirus client that comes with Fortinet’s FortiGate firewall and network security solution.

Zero Day in FireEye Antivirus
Kaspersky Fixes Antivirus Zero Day
Zero Day Flaws in Browsers for Android
Zero Day: Firefox Fixed

The vulnerability ended up properly disclosed in June and fixed with version 5.2.4, which went out at the start of September, Fortinet’s security team said.

The problem is in four FortiClient drivers (“mdare64_48.sys,” “mdare32_48.sys,” “mdare32_52.sys,” and “mdare64_52.sys”) which, when taking commands from Input-Output Control (IOCTL) system calls with specific parameters, would allow an unprivileged user to get system-level administrator privileges.

This allowed an attacker that had previously infected the system in some way or another to use this vulnerability in the FortiClient antivirus and get system-level privileges on a Windows machine.

With this access, an attacker could have been able to infect the system with malware, extract private data and send it to a C&C server, add the workstation to a botnet, encrypt files, launch attacks on fellow connected machines, install or uninstall local applications, or anything they would have desired.