When the fix is ​​not enough – Gigaom

Executive briefing

What happened:

A stealthy and persistent stolen door was discovered in more than 16,000 Fortinet firewalls. It was not a new vulnerability – it was a case of attackers operating a subtle part of the system (language files) to maintain unauthorized access even after the original vulnerabilities were corrected.

What it means:

Devices considered “safe” can still be compromised. The attackers had access to sensitive system files alone via symbolic links placed on the file system – by completely bypassing traditional authentication and detection. Even if a device was corrected months ago, the attacker could still be in place.

Commercial risk:

• Exposure of sensitive configuration files (including VPN, administrator and user data)
• Reputation risk if the customer -oriented infrastructure is compromised
• Regarding compliance according to industry (HIPAA, PCI, etc.)
• Loss of control over device configurations and confidence limits

What we do about this:

We have implemented a targeted remediation plan which includes the firmware corrective, resetting identification information, file system audits and access control updates. We have also integrated long-term controls to monitor persistence tactics like this in the future.

Take to remember for leadership:

It is not a seller or a CVE. This is a reminder that the correction is only a step of a secure operations model. We update our process to include the detection of persistent threats on all network devices – because the attackers are not waiting for the next cve strikes.

What happened

The attackers used Fortinet firewalls by planting symbolic links in linguistic file folders. These links indicated sensitive root level files, which were then accessible via the SSL-VPN web interface.

The result: the attackers have acquired reading access only to the system data without identification information and without alerts. This stolen door remained even after the firmware fixes – unless you can delete it.

Fortios versions that remove the back door:

• 7.6.2
• 7.4.7
• 7.2.11
• 7.0.17
• 6.4.16

If you perform something older, assume compromises and act accordingly.

The real lesson

We tend to consider the correction as a complete reset. This is not the case. The attackers are today persistent. They are not content to enter and move laterally – they sink quietly and remain.

The real problem here was not a technical defect. It was a dead angle in operational trust: the hypothesis that once we pass, we finished. This hypothesis is no longer sure.

OPS resolution plan: Runbook with one click

Playbook: Fortinet Symlink Backdoor Remediation

Aim:
Remedy the vullerability of Booddoor Symiiling affecting fortigate devices. This includes the fix, the audit, the hygiene of the identification information and the confirmation of the deletion of any persistent unauthorized access.

1. Extend your environment

• Identify all the strength devices used (physical or virtual).
• Inventory All versions of firmware.
• Check which devices have activated SSL-VPN.

2. Firmware patch

Patch with the following minimum versions:

• Fortios 7.6.2
• Fortios 7.4.7
• Fortios 7.2.11
• Fortios 7.0.17
• Fortios 6.4.16

Measures:

• Download the firmware from Fortinet Support Portal.
• Plan the stoppters or a rolling upwind window.
• Backup configuration before applying updates.
• Apply the firmware update via GUI or CLI.

3. Post-patch validation

After update:

• Confirm the version using the GET system status.
• Check that SSL-VPN is operational in the event of use.
• Run the diagnosis of the SYS Flashs list to confirm the deletion of unauthorized symbolic links (the Fortinet script included in the new firmware should clean it automatically).

4. Hygiene of identification and session information

• Force the password resets for all administration accounts.
• Revoke and reissue all local user identification information stored in Fortigate.
• Invalidate all current VPN sessions.

5. System and configuration audit

• Examine the list of administration accounts for unknown users.
• Validate current configuration files (display the complete configuration) for unexpected changes.
• Find the file system for the remaining symbolic links (optional):

find / -type l -ls | grep -v "/usr"

6. Monitoring and detection

• Activate full journalization on SSL-VPN and Admin interfaces.
• Export newspapers for analysis and retention.
• Integrate into Siem to alert on:
  • Unusual administration
  • Access to unusual web resources
  • EXPECTED GEOS Outdoor VPN Access

7. HARDEN SSL-VPN

• Limit external exposure (use IP or Geo-Fencing authorization lists).
• Require MFA on all VPN accessories.
• Disable access to web mode, unless you absolutely need.
• Disable unused web components (for example, themes, language packs).

Summary of changes control

Type of modification: Safety hotfix
Affected systems: Fortigate devices running SSL-VPN
Impact: Short interruption when upgrading the firmware
Risk level: AVERAGE
Change the owner: [Insert name/contact]Change the window: [Insert time]Backup plan: See below
Test plan: Confirm the firmware version, validate VPN access and execute post-Plaquette audits

Recoil

If the upgrade causes a failure:

1. Restart in the previous partition of the firmware using access to the console.
   • Execute: Exec set-Xe-Reboot primary or secondary according to which was upgraded.
2. Restore the saved configuration (pre-patch).
3. Temporarily deactivate SSL-VPN to avoid exposure during the study of the problem.
4. Inform Infosec and increase by the support of Fortinet.

Final thought

It was not a missed patch. It was a failure to assume that the attackers would play just.

If you only validate if something is “vulnerable”, you miss the situation as a whole. You have to ask: Could someone already be here?

Safety today means reducing the space where attackers can work – and assuming that they are smart enough to use the edges of your system against you.