Login Sign Up

CVE-2021-36183

7.4 HIGH

📋 TL;DR

This vulnerability allows a local unprivileged attacker on Windows systems running vulnerable FortiClient versions to escalate privileges to SYSTEM level by exploiting improper authorization in the named pipe used for updates. This affects FortiClient for Windows versions 7.0.1 and below, and 6.4.2 and below.

💻 Affected Systems

Products:
  • FortiClient for Windows
Versions: 7.0.1 and below, 6.4.2 and below
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows versions of FortiClient. Requires local access to the system.

📦 What is this software?

Forticlient by Fortinet

View all CVEs affecting Forticlient →

Forticlient by Fortinet

View all CVEs affecting Forticlient →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, persistence mechanisms, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, and access sensitive system resources.

🟢

If Mitigated

Limited impact if proper endpoint protection and least privilege principles are enforced, though local access still poses risk.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.
🏢 Internal Only: HIGH - Any compromised user account with local access can exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but is relatively straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiClient 7.0.2 and 6.4.3

Vendor Advisory: https://fortiguard.com/advisory/FG-IR-20-079

Restart Required: Yes

Instructions:

1. Download FortiClient 7.0.2 or 6.4.3 from Fortinet support portal. 2. Uninstall current FortiClient version. 3. Install the patched version. 4. Restart the system.

🔧 Temporary Workarounds

Restrict Named Pipe Access

windows

Modify Windows security settings to restrict access to the FortiClient update named pipe

icacls \\.\pipe\FortiClientUpdate /deny Everyone:(F)

Disable FortiClient Update Service

windows

Temporarily disable the FortiClient update service to prevent exploitation

sc config FortiClientUpdateService start= disabled
sc stop FortiClientUpdateService

🧯 If You Can't Patch

  • Implement strict least privilege principles to limit local user access
  • Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check FortiClient version in About dialog or via 'wmic product get name,version' and compare to affected versions

Check Version:

wmic product where "name like 'FortiClient%'" get name,version

Verify Fix Applied:

Verify FortiClient version is 7.0.2 or higher, or 6.4.3 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation with SYSTEM privileges from non-admin users
  • Access attempts to FortiClient named pipes from unauthorized processes

Network Indicators:

  • Local named pipe communication anomalies

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%FortiClient%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')

📊 Metadata

CVE ID: CVE-2021-36183
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON