Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
Fortinet warns that threat actors can retain read-only access to FortiGate devices even after the original vulnerability used for the breach has been patched.
The cybersecurity firm revealed that attackers exploited known FortiGate flaws like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to gain persistent read-only access via a symlink in SSL-VPN language folders.
“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection.” reads the advisory published by Fortinet. “Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.”
Fortinet pointed out that only devices with SSL-VPN enabled are impacted. The company added that scans show the attacks weren’t limited to any specific region or industry.
Fortinet mitigated the attack by deploying AV/IPS signatures, updating releases to block the symbolic link, and urging customers to patch devices while maintaining transparency.
The company did not link the attacks to a certain threat actor, however, the investigation is still ongoing.
Below are the FortiOS mitigations released by the company:
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: The SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links.
- FortiOS 7.4, 7.2, 7.0, 6.4: The symbolic link was flagged as malicious by the AV/IPS engine so that it would be automatically removed if the engine was licensed and enabled.
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: Upgrading to this release will remove the malicious symbolic link.
The cybersecurity vendor notified impacted customers and provided the following mitigations:
- Treat all configuration as potentially compromised and follow the recommended steps below to recover:
- Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16.
- Review the configuration of all devices.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, FortiOS)
