Plus a bonus hard-coded local API key
A now-patched, high-severity bug in Fortinet's FortiClient VPN application potentially allows a low-privilege rogue user or malware on a vulnerable Windows system to gain higher privileges from another user, execute code and possibly take over the box, and delete log files., and it earned a 7.8 out of 10 CVSS severity rating. It affects FortiClientWindows version 7.4.0, 7.2.4 through 7.2.0, 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0.
According to Chako, this latter flaw has been assigned CVE-2024-50564, though the vendor has not yet issued a security alert about it. However, it has also been fixed in the latest version, FortiClient 7.4.1., adding that advisory is slated for release on the December 10 Patch Tuesday."From a security perspective, after testing version 7.4.1, we were able to validate that the patch prevented us from executing the techniques.
This could also be abused to delete log files, and make a user connect to an attacker-controlled server. Plus, when combined with the second vulnerability, CVE-2024-50564, a miscreant would be"able to edit SYSTEM level registry values within the HKLM registry hive," Chako said. Exploiting CVE-2024-50564 involves using a hard-coded local API encryption key that components of Fortinet's software use to exchange commands and data between themselves; it's not a VPN secret. ®An easy route to AI-enhanced productivityAmazon confirms employee data exposed in leak linked to MOVEit vulnerability
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Paras VPN-tarjous 2024: näillä Black Friday -alennuksilla suojaat yksityisyyttäsi edullisestiMarkus Mesiä on teknologia- ja pelitoimittaja, joka on viimeisen vuosikymmenen aikana kirjoittanut useisiin kotimaisiin medioihin. Sydämen asioita ovat pelien lisäksi ennen kaikkea musiikki ja urheilu. Viimeksi mainittu tosin lähinnä kotisohvalta katsottuna ja analysoituna.
Read more »
Criminals open DocuSign's Envelope API to make BEC special deliveryWhy? Because that's where the money is
Read more »
API Presses Trump for Pro-Drill, Pro-LNG AgendaIn a letter to Trump, API CEO Mike Sommers emphasized the need to counteract 'extreme regulations' that, according to the group, have hindered U.S. energy progress
Read more »
Perfctl malware strikes again as crypto-crooks target Docker Remote API serversAttacks on unprotected servers reach 'critical level'
Read more »
DBD update 8.4.0 patch notes reveal Chapter 34 killer and survivor abilities plus moreThe Dead By Daylight update 8.4.0 patch notes reveal the abilities for the DBD Chapter 34 killer and survivor.
Read more »
Viaro chief accused of forgery and stealing €144mn in London lawsuitFrancesco Mazzagatti being sued by API, part owner of Iranian petrochemicals company
Read more »