CVE-2020-9295
📋 TL;DR
This vulnerability affects Fortinet's antivirus engine in FortiOS and FortiClient, causing delayed detection of malicious files within malformed RAR archives. Attackers could bypass initial scanning to deliver malware. Affected users include those running vulnerable FortiOS 6.2/6.4 or FortiClient 6.2 with outdated AV engine versions.
💻 Affected Systems
- FortiOS
- FortiClient
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malware delivery bypassing initial AV scanning, leading to system compromise, data theft, or ransomware deployment.
Likely Case
Temporary evasion of antivirus detection until file extraction triggers real-time scanning or Virus Outbreak Prevention.
If Mitigated
Minimal impact if Virus Outbreak Prevention is enabled on FortiGate or real-time scanning catches files upon extraction.
🎯 Exploit Status
Exploitation involves delivering specially crafted RAR archives; no authentication needed if user interacts with the archive.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update AV engine to FortiOS 6.2 with engine >6.00142, FortiOS 6.4 with engine >6.00144, FortiClient 6.2 with engine >6.00137
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-20-037
Restart Required: No
Instructions:
1. Access Fortinet support portal. 2. Download latest AV engine updates. 3. Apply updates via FortiOS/FortiClient management interface. 4. Verify engine version post-update.
🔧 Temporary Workarounds
Enable Virus Outbreak Prevention
allActivates additional scanning on FortiGate to detect malicious archives.
config antivirus settings
set outbreak-prevention enable
🧯 If You Can't Patch
- Enable real-time scanning and Virus Outbreak Prevention to catch malicious files upon extraction.
- Implement network segmentation and user awareness training to reduce risk from malicious archives.
🔍 How to Verify
Check if Vulnerable:
Check AV engine version in FortiOS/FortiClient interface: FortiOS 6.2 ≤6.00142, 6.4 ≤6.00144, FortiClient 6.2 ≤6.00137.Check Version:
execute show system fortiguard (FortiOS) or check About section (FortiClient)Verify Fix Applied:
Confirm AV engine version exceeds vulnerable thresholds after update.📡 Detection & Monitoring
Log Indicators:
- Log entries for AV engine updates, failed archive scans, or Virus Outbreak Prevention alerts.
Network Indicators:
- Unusual RAR archive downloads or email attachments triggering AV bypass attempts.
SIEM Query:
source="fortigate" AND (event="virus" OR event="outbreak") AND archive_type="RAR"