Forcepoint VPN Client is Vulnerable to Privilege Escalation Attacks

Forcepoint vpn patch

Forcepoint has fixed a privilege escalation vulnerability in its VPN Client for Windows.

A vulnerability has been discovered in the Forcepoint VPN Client software for Windows. The flaw could enable an attacker – with an existing foothold on a system – to achieve an escalation of privilege, persistence and in some cases defense evasion.

The vulnerability (CVE-2019-6145) stems from an un-patch issue in the Forcepoint VPN Client software. This software provides a secure virtual private network connection between end-user Windows computers and a Forcepoint’s VPN gateway.

“This vulnerability could have been exploited by an attacker during a post-exploitation phase in order to achieve privilege escalation, persistence and in some cases defense evasion by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs as NT AUTHORITY\SYSTEM [the user account with the highest level of privileges],” researchers with SafeBreach said in a Friday analysis.

The vulnerability exists in all versions below 6.6.1 of Forcepoint’s VPN Client for Windows. A fix, delivered in version 6.6.1 of the software, is available now, according to Forcepoint.

The flaw manifests itself when the VPN client starts (which is usually during the Windows boot sequence). First, it incorrectly looks for and attempts to execute programs in two locations (“C:\Program.exe” and “C:\Program Files (x86)\Forcepoint\VPN.exe”). Once it (incorrectly) discovers any file – even if unsigned – it would execute them as the most privileged user account (called NT AUTHORITY\SYSTEM).

So if an unauthorized user, with preexisting access to the system, planted an executable file in one of those two locations, the VPN Client would execute either, giving the user or attacker the highest level of privileges on the targeted end point.

In a proof of concept test, researchers compiled an unsigned executable (EXE) file, which contained the name of the process that loaded it and the username that executed it to the filename of a txt file. The arbitrary unsigned EXE file was executed as NT AUTHORITY\SYSTEM by a legitimate process which is signed by Forcepoint.

Hackers would need to jump through hoops to exploit the flaw. By default, only local administrators can write to the two locations (“C:\Program.exe” and “C:\Program Files (x86)\Forcepoint\VPN.exe”), meaning that an attacker would need to be local and already have some administrator privileges.

If an attacker were to exploit the vulnerability, they would have the ability to execute malicious payloads in a persistent way (each time the service is being loaded) as well as gain NT AUTHORITY\SYSTEM access (the part of the VPN service that has the highest level of privileges and permissions) as an administrator.

“The vulnerability gives attackers the ability to be executed by a signed service,” said researchers. “This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass.”

The vulnerability has a CVSSv3 Base Score of 6.5, making it a medium-severity vulnerability. The vulnerability was first reported on Sept. 5, 2019; on Sept. 19 Forcepoint patched and disclosed the flaw.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles

Insider Risks In the Work-From-Home World

Forcepoint’s Michael Crouse talks about risk-adaptive data-protection approaches and how to develop a behavior-based approach to insider threats and risk, particularly with pandemic-expanded network perimeters.

SASE & Zero Trust: The Dream Team

Forcepoint’s Nico Fischbach, global CTO and VPE of SASE, and Chase Cunningham, chief strategy officer at Ericom Software, on using SASE to make Zero Trust real.

Effective Adoption of SASE in 2021

In this Threatpost podcast, Forcepoint’s SASE and Zero Trust director describes how the pandemic jump-started SASE adoption.