Fortinet has released patches to address a critical security flaw affecting FortiClientLinux that could be exploited to achieve arbitrary code execution.
Classified as CVE-2023-45590, the vulnerability has a CVSS score of 9.4 out of a possible 10.
“Code Injection Improper Control Vulnerability”. [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code by tricking a FortiClientLinux user into visiting a malicious website,” Fortinet said in an advisory.
The flaw, which has been described as a case of remote code execution due to a “dangerous nodejs configuration”, impacts the following releases:
- FortiClientLinux versions 7.0.3 to 7.0.4 and 7.0.6 to 7.0.10 (upgrade to 7.0.11 or later)
- FortiClientLinux version 7.2.0 (upgrade to 7.2.1 or later)
Security researcher CataLpa of Dbappsecurity was credited with discovering and reporting the vulnerability.
Fortinet’s security patches for April 2024 also address an issue with the FortiClientMac installer that could also lead to code execution (CVE-2023-45588 and CVE-2024-31492, CVSS scores: 7.8).
Also fixed was a bug in FortiOS and FortiProxy that could leak administrator cookies in certain scenarios (CVE-2023-41677, CVSS score: 7.5).
While there is no evidence that any of the flaws are being exploited in the wild, users are advised to keep their systems updated to mitigate potential threats.