Forcepoint VPN Client is Vulnerable to Privilege Escalation Attacks (Sep 20, 2019)
Researchers at SafeBreach discovered that the Forcepoint VPN Client for Windows is affected by a vulnerability that can be exploited to achieve an escalation of privilege, persistence, and defense evasion. The flaw, tracked as “CVE-2019-6145” and described as an unquoted search path issue, affects Forcepoint VPN Client for Windows versions prior to 6.6.1, and now includes a patch. According to SafeBreach, when the client application is launched, a process attempts to run several executable files that do not exist. This would allow a threat actor to place their own malicious executables in these locations that they could run when the Forcepoint application was launched, but only if the actor was local and already had some administrator privileges.
Recommendation: Your company should have policies in place in regards to maintaining software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.