Fortinet has issued an urgent warning about a persistent threat affecting FortiGate devices, where attackers exploit a vulnerability linked to SSL-VPN functionality to maintain access even after patches are applied.
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vendor/Product: Fortinet FortiGate products
Description: A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link (symlink) connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection.
Impact: Even if the customer device was patched with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations. Customers who did not enable SSL-VPN were not impacted by this issue.
Source: CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475
Max Severity: Critical
CVSS Score: 9.8 (all CVE’s)
Mitigation: Upon discovering the new technique used by the threat actor described above, Fortinet took steps to mitigate this issue and balance varying levels of cyber hygiene and challenges that the customer may face. Fortinet mitigation efforts included:
- An AV/IPS signature was created to detect and clean this symbolic link from impacted devices.
- Changes were made to the latest releases to detect and remove the symbolic link and ensure the SSL-VPN only serves the expected files.
- Proactive communications urging customers to update their devices, carefully balancing our communications to protect against further inadvertent compromise while delivering on our commitment to responsible transparency.
Fortinet has released multiple FortiOS mitigations, including:
- FortiOS 7.4, 7.2, 7.0, 6.4: The symbolic link was flagged as malicious by the AV/IPS engine so that it would be automatically removed if the engine was licensed and enabled.
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: Upgrading to this release will remove the malicious symbolic link.
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: The SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links.
Fortinet has communicated directly with customers identified as impacted by this issue based on the available telemetry and are recommending that they take the following steps:
- Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16.
- Review the configuration of all devices.
- Treat all configuration as potentially compromised and follow the recommended steps below to recover:
