Ongoing Attack on FortiGate Devices Exploiting Symlinks for Persistent Access

By /

Listen to this Post

Fortinet has disclosed a new attack targeting FortiGate devices, where attackers maintain “read-only” access even after patching known vulnerabilities (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762). The attackers leverage symbolic links (symlinks) to bypass patches by linking user filesystems to root directories, specifically within SSL-VPN language folders. This stealthy technique allows access to sensitive files (e.g., configurations) without execution privileges.

You Should Know:

1. Understanding Symlinks in Linux

Symlinks are pointers to files/directories. Attackers abused this to redirect VPN language file requests to critical system files. 

 Create a symlink (attacker's perspective) 
ln -s /path/to/sensitive/file /var/www/vpn/lang/malicious_link

Detect malicious symlinks (defender) 
find / -type l -exec ls -la {} \; | grep -i "suspicious_path"

2. FortiGate Mitigation Steps

  • Update Immediately to patched versions:
  • FortiOS 6.4.16, 7.0.17, 7.2.11, 7.4.7, 7.6.2
  • Disable SSL-VPN if unused: 
    config vpn ssl settings 
set status disable 
end
  • Scan for Symlinks post-update: 
    Check for symlinks in VPN directories 
find /var/www/vpn -type l -ls

3. Network Monitoring Commands

  • IPS Signature Detection: Use FortiGate’s built-in IPS to block symlink exploits: 
    config ips sensor 
edit "Block_Symlink_Exploit" 
set comment "Detect CVE-2024-21762" 
append entries 
set rule 1234567  Replace with actual rule ID 
next 
end
  • Log Analysis: Filter logs for symlink-related activity: 
    grep -r "symlink" /var/log/fortigate/

4. Windows Equivalent (NTFS Symlinks)

Attackers may target Windows via junctions:

 Create a junction (Windows) 
mklink /J C:\malicious_link C:\Windows\System32\config

Detect junctions (Defender) 
dir /AL /S C:\

What Undercode Say

This attack highlights the persistence of threat actors in abusing OS-level features (symlinks) to evade patches. Key takeaways:

1. Patch Management: Prioritize updates for network appliances.

2. Filesystem Audits: Regularly scan for unauthorized symlinks.

  1. Least Privilege: Restrict VPN access to necessary users only.
  2. Logging: Enable verbose logging for `/var/www/vpn` and root filesystems.

Relevant Commands for Further Checks:

 List all symlinks in /etc (common target) 
ls -lR /etc | grep ^l

Monitor filesystem changes (Linux) 
auditctl -w /var/www/vpn -p wa -k vpn_access

Expected Output:

A hardened FortiGate environment with disabled unused services, updated firmware, and active symlink monitoring.

Reference: Fortinet Advisory (Check for latest CVE details).

References:

Reported By: Mohamed Abdelgadr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: