Patch released for Windows-pwning VPN bug

VPN vendor Forcepoint has patched a security flaw that could have given attackers unfettered access to its users’ Windows computers.

Security company SafeBreach Labs discovered the vulnerability in Forcepoint’s VPN client software. The software used to be called the Stonesoft VPN client before Raytheon Websense rebranded as Forcepoint and bought it in 2016. It provides a secure connection between Windows endpoints and the Forcepoint Next Generation Firewall. You’d use it to log in securely to your company’s servers over public Wi-Fi, for example.

The vulnerability lies in the client software’s choice of directory paths when loading a critical software module. It loads on bootup as sgvpn.exe, which is an executable digitally signed by Forcepoint, running under a privileged NT AUTHORITY\SYSTEM account.

sgvpn.exe then tries to find another file called sgpm.exe, which is the VPN’s policy manager. It looks in two locations: C:\Program.exe and C:\Program Files (x86)\Forcepoint\VPN.exe.

The problem is that it isn’t supposed to look in those locations.

In its article detailing the bug, Forcepoint explained that the incorrect directory paths are due to an unquoted search path vulnerability. sgvpn.exe creates a command sent to the Windows command line that includes the executable and a command line argument that tells the operating system how to run it.

Windows best practice dictates that if you’re sending a directory path and executable to the command line that includes a space, you include a quoted string to separate the executable part from the argument. Because Forcepoint didn’t do that, the command line misinterpreted the command, thinking that it included the erroneous directories.

This flaw enables an attacker to insert their own sgpm.exe file in one of the incorrect locations, and the sgvpn.exe executable will run it. Because sgvpn.exe runs under an account with administrative privileges, the attack code would have administrative access to the system.

The Forcepoint VPN client vulnerability also executes the attack code natively on the system without any checks. Because Forcepoint signed sgvpn.exe, an attacker can evade application whitelists that only run code signed by approved developers, SafeBreach explained.

Because sgvpn.exe loads on startup, it also means that an attacker could introduce a persistent attack, the company added:

…once the attacker drops a malicious EXE file in one of the paths we mentioned earlier, the service will load the malicious code each time it is restarted.

Exploiting the bug wouldn’t be easy for an attacker that didn’t already have some foothold on the system, because it would take administrative privileges to get the attack file into the targeted directories in the first place. If an attacker already has administrative access to your system, you’re already in trouble.

Nevertheless, Forcepoint gave the bug a CVE number of 2019-6145 and a base severity score of 6.7 (Medium).

What to do?

According to its knowledge base article, published 19 September 2019, the company has patched the flaw in version 6.6.1 of the Forcepoint VPN Client for Windows.