Cross-site scripting & privilege escalation bugs in Fortinet’s FortiGateCloud and FortiClient

A team of computer forensics specialists have reported the finding of two vulnerabilities in FortiClient and FortiGateCloud, of Fortinet Inc. According to the report, exploiting these flaws could lead to malicious scenarios such as privilege escalation or cross-site scripting (XSS) attacks. FortiGateCloud is a cloud-based management platform for FortiGate firewalls, while FortiClient is a security suite for advanced protection of computers and systems.

Below is a brief overview of the vulnerabilities found, in addition to their respective scores and tracking keys in the Common Vulnerability Scoring System (CVSS).

The first of the flaws found, tracked as CVE-2020-9291, exists because the FortiClient suite for the Windows operating system allows local users to obtain high privileges by exhausting the set of temporary file names, in combination with a symbolic link attack, as computer forensics experts mentioned.

Exploiting this vulnerability would allow threat actors to elevate their privileges on the target system. This flaw is present in the following versions of FortiClient: 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.2.0 & 6.2.1.

The flaw can only be exploited locally by hackers authenticated on the target system, which significantly reduces the chances of exploitation; besides, the existence of an exploit to trigger the attack has not been identified. The vulnerability received a score of 6.8/10, so it is considered a medium severity flaw.

Moreover, the second reported flaw (no CVSS key assigned) exists due to insufficient debugging of user-submitted data to the FortiGateCloud login page and would allow threat actors to deploy XSS attacks.

A remote hacker could trick the victim into clicking on a specially designed link and triggering arbitrary HTML code execution in the context of the vulnerable website. According to the computer forensics specialists, successful exploitation of this vulnerability would allow the theft of sensitive information, modification of the target website, phishing attacks, among other malicious activities.  

The flaw can be found in FortiGateCloud version 4.4, and although it can be exploited remotely by unauthenticated hackers, there is no exploit for the attack. The flaw received a score of 5.3/10 on the CVSS scale, so it is considered a low severity error.

Both flaws have already been fixed, so it is recommended that affected deployment administrators install the patches released by the company. For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.