A patch has been issued to resolve a privilege escalation vulnerability in Forcepoint VPN Client software for Windows.
Last week, cybersecurity researchers from SafeBreach Labs disclosed the security flaw, tracked as CVE-2019-6145, and said the bug could be used not only to escalate an attacker’s privileges but also to maintain persistence on an infected system.
Described as an unquoted search path vulnerability and awarded a CVSSv3 base severity score of 6.5, the problem exists in Forcepoint VPN Client for Windows software versions 6.6.0 and earlier.
See also: VPN services: The ultimate guide to protecting your data on the Internet
In the client software of the virtual private network (VPN) system, previously known as Stonesoft VPN Client, a coding issue meant that during boot sequences on Windows machines, the VPN incorrectly attempts to execute programs from C:Program.exe and C:Program Files (x86)ForcepointVPN.exe.
The client runs the signed sgvpn.exe Windows service as NT AUTHORITYSYSTEM, and this requires administrator levels of permission.
Should a threat actor plant a malicious executable in either of the aforementioned locations, the software would automatically execute it, which enables system-level privilege escalation.
It is worth noting that to exploit the vulnerability, a local attacker must already have admin privileges to plant the payloads. However, if they pull off an attack, this can lead to malicious executables being launched every time the VPN is being loaded, as well as application whitelisting bypass.
CNET: Facebook suspends tens of thousands of apps following Cambridge Analytica scandal
In order to test the flaw, SafeBreach Labs crafted a Proof-of-Concept (PoC) unsigned .exe file. When a vulnerable version of the VPN was launched, the file was executed as NT AUTHORITYSYSTEM by the legitimate Forcepoint application.
The root cause of the bug is a lack of a quoted string between the executable’s path and arguments on the command line, causing a Forcepoint VPN startup process to split itself when space characters are parsed.
The researchers reported their findings to Forcepoint on September 5 and the company confirmed the vulnerability’s validity on the same day. A CVE was issued by September 16, and after a patch was issued, Forcepoint released a security advisory on September 19.
TechRepublic: Organizations struggle to manage cyberthreats without automation
It is recommended that Forcepoint VPN users upgrade to version 6.6.1 or higher to protect themselves from compromise.
ZDNet has reached out to Forcepoint with additional queries and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Credit: Zdnet
