A potential exploit has been discovered that affects FortiGate, FortiOS, and FortiClient running certain versions of the Fortinet AntiVirus engine. As a result, these products may fail to detect specific types of malformed or non-standard RAR archives, possibly containing malicious files. This vulnerability, identified as CVE-2020-9295, is capable of bypassing the antivirus' live protection and may have significant implications for user security.
FortiClient 6.2 running AV engine version 6.00137 and below
This post will provide a detailed overview of the CVE-2020-9295 vulnerability, including code snippets, original sources and references, and additional information about the exploit details and potential impact.
Code Snippet
The malicious archive can evade detection by using a malformed or non-standard RAR structure. Here's a simplified example of such a structure:
rar_archive.rar
| - nested_folder_01
| - malicious_file_01.exe
| - nested_folder_02
| - malicious_file_02.exe
In a typical scenario, the Fortinet antivirus engine would scan the archive during the extraction process, which should raise an alert and block the malicious files. However, because of the non-standard RAR structure, the antivirus engine fails to detect the threat.
Exploit Details
When a user attempts to extract the malformed RAR archive, the malicious files may bypass real-time scanning by FortiClient, resulting in a successful extraction. FortiGate will detect the malicious archive if Virus Outbreak Prevention is enabled, but this is not always the case for all configurations.
This potential exploit can have severe consequences and lead to further malware infections, data theft, or unauthorized access to sensitive information.
Links to Original References
The following links provide additional information about CVE-2020-9295 and the affected Fortinet products:
1. Fortinet Security Advisory: FG-IR-20-045
2. CVE-2020-9295 Official Record: CVE Details
3. NIST National Vulnerability Database: NVD Record
Conclusion
CVE-2020-9295 represents a critical vulnerability in the affected Fortinet products. Users are strongly advised to update their Fortinet antivirus engines to the latest version to protect against such exploits.
It's worth noting that based on the samples provided, FortiClient will detect the malicious files upon trying extraction by real-time scanning, and FortiGate will detect the malicious archive if Virus Outbreak Prevention is enabled. Users should enable these features whenever possible in order to minimize the risk posed by this exploit.
In addition, organizations are encouraged to review their security policies and procedures regularly to ensure they are up-to-date and capable of addressing emerging threats and vulnerabilities like CVE-2020-9295.
Timeline
Published on: 03/17/2025 14:15:16 UTC