Privilege escalation vulnerability patched in Forcepoint VPN for Windows

Updated: The bug could also be used post-exploit to circumvent PC defenses.

Chinese hackers are scanning the internet for Fortinet and Pulse Secure VPN servers Security researchers spot Chinese state-sponsored hackers going after high-end enterprise VPN servers.

A patch has been issued to resolve a privilege escalation vulnerability in Forcepoint VPN Client software for Windows. 

Last week, cybersecurity researchers from SafeBreach Labs disclosed the security flaw, tracked as CVE-2019-6145, and said the bug could be used not only to escalate an attacker's privileges but also to maintain persistence on an infected system. 

Described as an unquoted search path vulnerability and awarded a CVSSv3 base severity score of 6.5, the problem exists in Forcepoint VPN Client for Windows software versions 6.6.0 and earlier. 

See also: VPN services: The ultimate guide to protecting your data on the Internet

In the client software of the virtual private network (VPN) system, previously known as Stonesoft VPN Client, a coding issue meant that during boot sequences on Windows machines, the VPN incorrectly attempts to execute programs from C:\Program.exe and C:\Program Files (x86)\Forcepoint\VPN.exe. 

The client runs the signed sgvpn.exe Windows service as NT AUTHORITY\SYSTEM, and this requires administrator levels of permission. 

Should a threat actor plant a malicious executable in either of the aforementioned locations, the software would automatically execute it, which enables system-level privilege escalation.

It is worth noting that to exploit the vulnerability, a local attacker must already have admin privileges to plant the payloads. However, if they pull off an attack, this can lead to malicious executables being launched every time the VPN is being loaded, as well as application whitelisting bypass.  

CNET: Facebook suspends tens of thousands of apps following Cambridge Analytica scandal

In order to test the flaw, SafeBreach Labs crafted a Proof-of-Concept (PoC) unsigned .exe file. When a vulnerable version of the VPN was launched, the file was executed as NT AUTHORITY\SYSTEM by the legitimate Forcepoint application.

The root cause of the bug is a lack of a quoted string between the executable's path and arguments on the command line, causing a Forcepoint VPN startup process to split itself when space characters are parsed. 

The researchers reported their findings to Forcepoint on September 5 and the company confirmed the vulnerability's validity on the same day. A CVE was issued by September 16, and after a patch was issued, Forcepoint released a security advisory on September 19. 

TechRepublic: Organizations struggle to manage cyberthreats without automation

It is recommended that Forcepoint VPN users upgrade to version 6.6.1 or higher to protect themselves from compromise. 

Update 10.10 BST: A Forcepoint spokesperson told ZDNet:

"We have no further comment to make other than what is available in our Knowledge Base article. The vulnerability is now patched, and we thank SafeBreach Labs for finding the vulnerability and bringing it to our attention so we could address it."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0