A serious security bug has been discovered in Forcepoint VPN Client for Windows. According to researchers, the bug, upon an exploit, could lead to privilege escalation.
Forcepoint VPN Client Bug
The security research team from SafeBreach Labs have come up with another interesting finding. This time, they have discovered a security bug in Forcepoint VPN Client. The vulnerability in this software for Windows could allow an attacker to gain elevated privileges on the target device.The bug could also allow persistence and, in some cases, defense evasion.
Nonetheless, exploiting this vulnerability required the attacker to have Administrator privileges.
Specifically, they spotted an unquoted search path vulnerability in the Forcepoint VPN Client. Owing to this flaw, the program, upon execution, looked for any executable files in two locations, C:\Program.exe and C:\Program Files (x86)\Forcepoint\VPN.exe. Then, as it came across such a file, it could execute the program even if unsigned.
Thus, an adversary could easily exploit the flaw simply by planting a malicious executable file in either of the two locations. The program, upon execution, would execute this file thereby providing SYSTEM privileges to the attacker.
The researcher seamlessly created a PoC for the flaw, they stated,
Our arbitrary unsigned EXE file was executed as NT AUTHORITY\SYSTEM by a legitimate process which is signed by Forcepoint LLC.
Details of the PoC are available in their blog post.
The vulnerability affected all Forcepoint VPN Client for Windows versions prior to 6.6.1. It has received the CVE number CVE-2019-6145 and has attained a medium severity rating with CVSSv3 base score of 6.5.
Forcepoint Fixed The Bug
Upon finding the vulnerability, SafeBreach Labs reported it to Forcepoint on September 5, 2019. On the same day, Forcepoint confirmed the vulnerability and began working on a fix.
According to their advisory, the vendors have released the fix with the software version 6.1.1. They recommend users to upgrade their systems to the latest versions to stay protected from potential mishaps.
To prevent any exploit in vulnerable versions, Forcepoint advises restricting non-admin users from creating or copying executable files to “C:\Program Files (x86)\Forcepoint\”.
Let us know your thoughts in the comments.