VU#420440: Vulnerable Python version used in Forcepoint One DLP Client

Overview

A vulnerability in the Forcepoint One DLP Client allows bypass of the vendor-implemented Python restrictions designed to prevent arbitrary code execution. By reconstructing the ctypes FFI environment and applying a version-header patch to the ctypes.pyd module, an attacker can restore ctypes functionality within the bundled Python 2.5.4 runtime, enabling direct invocation of DLLs, memory manipulation, and execution of arbitrary code.

Description

The Forcepoint One DLP Client (version 23.04.5642 and potentially subsequent versions) shipped with a constrained Python 2.5.4 runtime that omitted the ctypes foreign function interface (FFI) library. Although this limitation appeared intended to mitigate malicious use, it was demonstrated that the restriction could be bypassed by transferring compiled ctypes dependencies from another system and applying a version-header patch to the ctypes.pyd module. Once patched and correctly positioned on the search path, the previously restrained Python environment would successfully load ctypes, permitting execution of arbitrary shellcode or DLL-based payloads.

Forcepoint acknowledged the issue and indicated that a fix would be included in an upcoming release. According to the Forcepoint’s published knowledge base article (KB 000042256), the vulnerable Python runtime has been removed from Forcepoint One Endpoint (F1E) builds after version 23.11 associated with Forcepoint DLP v10.2.

Impact

Arbitrary code execution within the DLP client may allow an attacker to interfere with or bypass data loss prevention enforcement, alter client behavior, or disable security monitoring functions. Because the client operates as a security control on enterprise endpoints, exploitation may reduce the effectiveness of DLP protections and weaken overall system security.

The complete scope of impact in enterprise environments has not been fully determined.

Solution

Forcepoint reports that the vulnerable Python runtime has been removed in Endpoint builds after version 23.11 (Forcepoint DLP v10.2).
Users should upgrade to Endpoint versions which have been validated to no longer contain python.exe.

Acknowledgements

Thanks to the reporter, Keith Lee.
This document was written by Timur Snoke.