Unveiled: Leveraging Pre-existing Vulnerabilities in Fortinet Systems
In a recent announcement, Fortinet has urged all users to update their FortiOS versions to the recommended releases to address a malware symbolic-link problem discovered by the company's threat analysis team. The affected versions include 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16.
This threat actor activity, it appears, was not targeted towards a specific region or industry. The malicious symbolic link, as Fortinet's investigation revealed, connects a folder used to serve language files for the SSL-VPN. This allows the threat actor to maintain access to impacted devices even after updates.
To combat this issue, Fortinet has developed an AV/IPS signature to detect and clean the symbolic link from affected devices. In addition, the SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links.
The threat actor is known to have exploited known vulnerabilities (FG-IR-22-398, FG-IR-23-097, FG-IR-24-015) to gain access to Fortinet devices. Upon discovery, Fortinet promptly developed necessary mitigations and communicated with affected customers.
Fortinet's mitigation efforts balance varying levels of cyber hygiene and the challenges customers may face. The new technique used by the threat actor allows them to maintain read-only access to files on the device's file system, which may include configurations. To address this, changes have been made to the latest releases to detect and remove the symbolic link and ensure the SSL-VPN only serves the expected files.
Furthermore, Fortinet has incorporated changes to improve security features, including additional compile-time hardening, virtual patching, firmware integrity validation in hardware, Implementation of Integrity Measurement Architecture (IMA) / Filesystem Integrity, and auto-updates.
If a customer has never had SSL-VPN enabled, they are not impacted by this issue. Fortinet recommends all customers to upgrade to one of the recommended versions regardless of their impact status. Upgrading to FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 will remove the malicious symbolic link.
Fortinet continues to work directly with customers to ensure they have taken steps to remediate the issue. The company encourages its customers to leverage FortiOS best practice resources for system hardening and automating the upgrade process.
Lastly, FortiOS 7.4, 7.2, 7.0, and 6.4 flagged the symbolic link as malicious by the AV/IPS engine for automatic removal if the engine is licensed and enabled. Fortinet continues its efforts to keep its users secure and protected in the ever-evolving cyber threat landscape.
