CVE-2023-45588
📋 TL;DR
This vulnerability allows a local attacker to execute arbitrary code or commands on macOS systems running vulnerable FortiClient versions. Attackers can exploit this by placing a malicious configuration file in the /tmp directory before installation begins. Affected users include anyone running FortiClientMac version 7.2.3 or below, or version 7.0.10 or below.
💻 Affected Systems
- FortiClientMac
📦 What is this software?
Forticlient by Fortinet
Forticlient by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root privileges, installing persistent backdoors, stealing credentials, and accessing sensitive data.
Likely Case
Local privilege escalation allowing attackers to execute arbitrary commands with elevated privileges, potentially leading to lateral movement within the network.
If Mitigated
Limited impact with proper file permissions and monitoring preventing unauthorized file creation in /tmp directory.
🎯 Exploit Status
Requires local access and timing to place malicious file before installation starts; not trivial but feasible for determined attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to FortiClientMac version 7.2.4 or 7.0.11
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-345
Restart Required: No
Instructions:
1. Download latest FortiClientMac installer from Fortinet support portal. 2. Uninstall current vulnerable version. 3. Install updated version. 4. Verify installation completed successfully.
🔧 Temporary Workarounds
Secure /tmp directory permissions
macOSRestrict write permissions to /tmp directory to prevent unauthorized file creation
sudo chmod 1777 /tmp
sudo chown root:wheel /tmp
🧯 If You Can't Patch
- Monitor /tmp directory for suspicious file creation during FortiClient installation processes
- Implement strict access controls to limit who can install software on macOS systems
🔍 How to Verify
Check if Vulnerable:
Check FortiClientMac version in About dialog or run: /Applications/FortiClient.app/Contents/MacOS/FortiClient --versionCheck Version:
/Applications/FortiClient.app/Contents/MacOS/FortiClient --versionVerify Fix Applied:
Confirm version is 7.2.4 or higher, or 7.0.11 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unauthorized file creation in /tmp directory with FortiClient-related names
- Unexpected FortiClient installation processes running
Network Indicators:
- Unusual outbound connections from FortiClient processes post-installation
SIEM Query:
source="macos" AND (event="file_create" AND path="/tmp/*forticlient*" OR process="FortiClient" AND action="install")