A vulnerability has been discovered in the Forcepoint VPN Client software for Windows. The flaw could enable an attacker – with an existing foothold on a system – to achieve an escalation of privilege, persistence and in some cases defense evasion.
The vulnerability (CVE-2019-6145) stems from an un-patch issue in the Forcepoint VPN Client software. This software provides a secure virtual private network connection between end-user Windows computers and a Forcepoint’s VPN gateway.
“This vulnerability could have been exploited by an attacker during a post-exploitation phase in order to achieve privilege escalation, persistence and in some cases defense evasion by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs as NT AUTHORITY\SYSTEM [the user account with the highest level of privileges],” researchers with SafeBreach said in a Friday analysis.
The vulnerability exists in all versions below 6.6.1 of Forcepoint’s VPN Client for Windows. A fix, delivered in version 6.6.1 of the software, is available now, according to Forcepoint.
The flaw manifests itself when the VPN client starts (which is usually during the Windows boot sequence). First, it incorrectly looks for and attempts to execute programs in two locations (“C:\Program.exe” and “C:\Program Files (x86)\Forcepoint\VPN.exe”). Once it (incorrectly) discovers any file – even if unsigned – it would execute them as the most privileged user account (called NT AUTHORITY\SYSTEM).
So if an unauthorized user, with preexisting access to the system, planted an executable file in one of those two locations, the VPN Client would execute either, giving the user or attacker the highest level of privileges on the targeted end point.
In a proof of concept test, researchers compiled an unsigned executable (EXE) file, which contained the name of the process that loaded it and the username that executed it to the filename of a txt file. The arbitrary unsigned EXE file was executed as NT AUTHORITY\SYSTEM by a legitimate process which is signed by Forcepoint.
Hackers would need to jump through hoops to exploit the flaw. By default, only local administrators can write to the two locations (“C:\Program.exe” and “C:\Program Files (x86)\Forcepoint\VPN.exe”), meaning that an attacker would need to be local and already have some administrator privileges.
If an attacker were to exploit the vulnerability, they would have the ability to execute malicious payloads in a persistent way (each time the service is being loaded) as well as gain NT AUTHORITY\SYSTEM access (the part of the VPN service that has the highest level of privileges and permissions) as an administrator.
“The vulnerability gives attackers the ability to be executed by a signed service,” said researchers. “This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass.”
The vulnerability has a CVSSv3 Base Score of 6.5, making it a medium-severity vulnerability. The vulnerability was first reported on Sept. 5, 2019; on Sept. 19 Forcepoint patched and disclosed the flaw.