SB2022040712 - Multiple vulnerabilities in FortiClient (Linux)

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2021-44167)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to insecure handling of symbolic links. A local user can access sensitive information in log files and directories via symbolic links.

2) Information disclosure (CVE-ID: CVE-2021-43205)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker on the local network can gain unauthorized access to confighandler webserver via external binaries

Remediation

Install update from vendor's website.

References

• https://fortiguard.fortinet.com/psirt/FG-IR-21-232
• https://fortiguard.fortinet.com/psirt/FG-IR-21-226