Description
An improper verification of cryptographic signature vulnerability [CWE-347] in FortiClient MacOS version 7.4.0, version 7.2.4 and below, version 7.0.10 and below, version 6.4.10 and below may allow a local authenticated attacker to swap the installer with a malicious package via a race condition during the installation process.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
E
Physical
RL
X
RC
Required
Affected products
- fortinet / forticlientmac7.4.0 – 7.4.0
- fortinet / forticlientmac7.2.0 – 7.2.4
- fortinet / forticlientmac7.0.0 – 7.0.10
- fortinet / forticlientmac6.4.0 – 6.4.10
References
- VENDOR_ADVISORYhttps://fortiguard.fortinet.com/psirt/FG-IR-24-022