A backdoor in Fortinet brings an old vulnerability back to the surface, even if a device has been patched against it. In Benelux and France, nearly 1,000 devices have been affected.
Fortinet warned last week that a backdoor in FortiGate devices is being actively exploited. The security specialist emphasizes that no new vulnerability has crept into the firewalls, but that attackers have found a way to re-exploit a vulnerability from 2022. Even those who patched the vulnerability at the time are at risk.
The vulnerability allowed attackers to nest symbolic links to the firewall’s main file system in the language files folder. On devices where SSL-VPN is enabled, language files are publicly accessible, thus providing a free path to the core of the device. It now appears that the patch did not remove the symbolic links, meaning the vulnerability can be exploited again even after patching.
Fortinet sent an email to customers whose FortiGate devices were affected. The company recommends installing a firmware update with updated AV/IPS signatures that detects and neutralizes the symbolic links. Administrators are also urged to reconfigure their Fortinet devices.
17,000 Affected Devices
The damage has already been done. Shadowserver estimates the number of compromised devices at a substantial 17,000 since the attacks began on April 11. The majority are in Asia, but we also see victims closer to home. Of the 3,000 affected Fortinet devices in Europe, 583 are found in France.
In the Benelux, there are 349 vulnerable devices according to Shadowserver. 177 organizations in the Netherlands should be concerned, and 157 organizations in Belgium. The damage is still limited in Luxembourg with 15 devices. To avoid being included on this list, it’s best to follow Fortinet’s advice.
Ghosts from the Past
Fortinet has been in the news more often than the company would like in recent months due to vulnerabilities in FortiGate or other products. Usually, these are freshly discovered zero-days, but ghosts from the past continue to haunt Fortinet as well. A database containing information from 15,000 Fortinet firewalls appeared online in January, obtained from an earlier leak in FortiGate.