CVE-2020-9295: 
FortiClient vulnerability analysis and mitigation

CVE-2020-9295 is a security vulnerability affecting FortiOS and FortiClient antivirus engines that was disclosed on December 1, 2020. The vulnerability allows antivirus evasion through malformed RAR files, where the AV engines may not immediately detect certain types of malformed or non-standard RAR archives that potentially contain malicious files. The affected products include FortiOS 6.2 running AV engine version 6.00142 and below, FortiOS 6.4 running AV engine version 6.00144 and below, and FortiClient 6.2 running AV engine version 6.00137 and below (Fortiguard PSIRT).

The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. The vulnerability is classified under CWE-358 (Improperly Implemented Security Check for Standard). While the AV engines may not detect malicious files immediately in malformed RAR archives, FortiClient will detect the malicious files upon extraction through real-time scanning (Fortiguard PSIRT, NVD).

The primary impact of this vulnerability is a potential denial of service and the possibility of malicious files evading initial detection. However, FortiClient will detect the malicious files upon trying extraction through real-time scanning, and FortiGate will detect the malicious archive if Virus Outbreak Prevention is enabled (Fortiguard PSIRT).

Several solutions have been provided to address this vulnerability: upgrade to FortiOS 6.2 running AV engine version 6.00145 or later, FortiOS 6.4 running AV engine version 6.00145 or later, FortiClient 6.2 running AV engine version 6.00145 or later, or FortiClient 6.4 running AV engine version 6.00243 or later. As a workaround for FortiGate, users can enable the Virus Outbreak Prevention feature (Fortiguard PSIRT).

The vulnerability was responsibly disclosed by security researcher Thierry Zoller, and Fortinet acknowledged their contribution in the security advisory (Fortiguard PSIRT).