CVE-2021-43066 Overview
CVE-2021-43066 is an external control of file name or path vulnerability in Fortinet FortiClientWindows that allows attackers to escalate privileges via the MSI installer. This vulnerability affects multiple versions of the FortiClient Windows endpoint protection software, exposing organizations to local privilege escalation attacks where a low-privileged attacker can gain elevated system access.
Critical Impact
Local attackers with low privileges can exploit the MSI installer to achieve privilege escalation, potentially gaining complete control over the affected Windows system.
Affected Products
- Fortinet FortiClientWindows version 7.0.2 and below
- Fortinet FortiClientWindows version 6.4.6 and below
- Fortinet FortiClientWindows version 6.2.9 and below
- Fortinet FortiClientWindows version 6.0.10 and below
Discovery Timeline
- 2022-05-11 - CVE-2021-43066 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-43066
Vulnerability Analysis
This vulnerability stems from improper control of external file name or path parameters within the FortiClientWindows MSI installer. The weakness is classified under CWE-668 (Exposure of Resource to Wrong Sphere), indicating that the application fails to properly restrict access to resources that should remain protected during the installation process.
The vulnerability requires local access and low privileges to exploit. When successfully exploited, an attacker can achieve high impact across all three security pillars: confidentiality, integrity, and availability. This means attackers can read sensitive data, modify system configurations, and disrupt services on the compromised endpoint.
Root Cause
The root cause lies in the FortiClientWindows MSI installer's failure to properly validate and restrict file paths during installation operations. By allowing external control of file name or path parameters, the installer creates an opportunity for attackers to manipulate the installation process to write files to privileged locations or execute code with elevated permissions.
The installer does not adequately sanitize path inputs, enabling path traversal or file manipulation attacks that can redirect installation operations to attacker-controlled locations with higher privilege levels.
Attack Vector
The attack vector is local, requiring the attacker to have initial access to the target Windows system with low-level user privileges. The exploitation process involves manipulating the MSI installer's file path handling to achieve privilege escalation.
An attacker would typically:
- Obtain initial access to the target system with a standard user account
- Identify a FortiClientWindows installation in a vulnerable version range
- Manipulate the MSI installer process by controlling file paths during installation or upgrade operations
- Leverage the improper path handling to write files to privileged locations or hijack execution flow
- Achieve elevated privileges, potentially gaining SYSTEM-level access
The technical details of exploitation involve manipulating how the MSI installer handles file paths. For complete technical details, refer to the FortiGuard Security Advisory.
Detection Methods for CVE-2021-43066
Indicators of Compromise
- Suspicious MSI installer activity from non-administrative user accounts
- Unexpected file writes to privileged directories during FortiClient installation or update processes
- Anomalous privilege escalation events associated with FortiClient processes
- Unusual parent-child process relationships involving MSI installer and elevated system processes
Detection Strategies
- Monitor Windows Event Logs for MSI installer activity, particularly events related to FortiClientWindows installations
- Implement endpoint detection rules for suspicious file path manipulation during software installation
- Track privilege escalation events following FortiClient-related process execution
- Enable Windows Installer logging to capture detailed installation activity for forensic analysis
Monitoring Recommendations
- Deploy SentinelOne agents configured to monitor for privilege escalation attempts via installation packages
- Establish baseline behavior for FortiClientWindows update and installation processes
- Configure alerts for file writes to system directories from MSI installer processes running under non-administrative contexts
- Monitor for process hollowing or injection techniques that may leverage installer vulnerabilities
How to Mitigate CVE-2021-43066
Immediate Actions Required
- Inventory all FortiClientWindows installations and identify systems running vulnerable versions
- Prioritize patching for systems in high-risk environments or with sensitive data
- Restrict local user privileges where possible until patches can be applied
- Monitor affected systems for signs of exploitation attempts
Patch Information
Fortinet has released security updates to address this vulnerability. Organizations should upgrade to the following patched versions:
- FortiClientWindows 7.0.3 or later
- FortiClientWindows 6.4.7 or later
- FortiClientWindows 6.2.10 or later
- FortiClientWindows 6.0.11 or later
Refer to the FortiGuard Security Advisory FG-IR-21-154 for detailed patch information and download links.
Workarounds
- Restrict local access to systems with vulnerable FortiClientWindows installations to trusted users only
- Implement application whitelisting to prevent unauthorized MSI installer execution
- Use Windows Software Restriction Policies or AppLocker to limit MSI installer execution contexts
- Monitor and restrict write access to FortiClient installation directories
# Verify FortiClientWindows version on Windows systems
wmic product where "name like 'FortiClient%%'" get name,version
# Check installed FortiClient version via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*FortiClient*" } | Select-Object Name, Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
