The symlink trick is a post-exploitation technique used by attackers to maintain access to Fortinet devices even after initial vulnerabilities have been patched. This exploitation method leverages symbolic links (symlinks) to create persistent, unauthorized access to critical files on the device. The technique has been linked to recent attacks targeting FortiGate devices, raising concerns about how even patched systems may remain vulnerable if not properly secured.
Understanding the Symlink Trick: Technical Mechanics
1. Initial Access via Exploited Vulnerabilities
Attackers exploit known vulnerabilities in FortiOS to gain unauthorized access to Fortinet devices. Commonly targeted vulnerabilities include:
- CVE-2022-42475: A heap-based buffer overflow vulnerability enabling attackers to execute arbitrary code remotely.
- CVE-2023-27997: A critical Remote Code Execution (RCE) vulnerability in SSL-VPN.
- CVE-2024-21762: Another RCE flaw allowing attackers to compromise FortiGate devices through malicious requests.
These vulnerabilities allow attackers to infiltrate and manipulate the system during the initial phase of the attack.
2. Creation of the Symlink
Once access is gained, attackers create a symbolic link (symlink) that redirects file system operations:
- The symlink links the user filesystem to the root filesystem.
- This symlink is strategically placed within directories serving language files for the SSL-VPN web interface. By embedding the symlink here, attackers camouflage it as part of legitimate device operations.
3. Persistent Access
The symlink serves as a stealthy method to retain read-only access to critical files on the device, such as:
- Configuration files.
- SSL-VPN language files containing sensitive metadata.
- Credentials and network settings.
Even after vulnerabilities are patched, the symlink persists, enabling attackers to monitor or extract sensitive information undetected.
4. Avoiding Detection
The symlink’s placement in the user filesystem allows it to evade routine security checks. Traditional patching often addresses the original vulnerabilities but may overlook malicious artifacts like symlinks, leaving compromised devices susceptible to ongoing exploitation.
Potential Impact of the Symlink Trick
1. Data Exposure
The symlink allows attackers to access sensitive configuration files and system information, potentially exposing:
- Administrative credentials.
- Encryption keys.
- Network topology and firewall settings.
This information can be exploited for further attacks, including lateral movement within the network or the deployment of malware.
2. Persistent Exploitation
Even after applying patches for the initial vulnerabilities, the symlink ensures attackers retain an unauthorized foothold on the device. This allows long-term surveillance or further exploitation.
3. Undermined Trust
The exploitation of trusted devices like FortiGate undermines confidence in security measures. It highlights the risks of incomplete remediation during patching processes.
Mitigation Strategies
1. Upgrade to Patched Versions
Fortinet has released updates that automatically remove malicious symlinks and prevent their creation:
- FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 specifically address the symlink exploitation technique.
- Organizations must update all affected devices immediately to ensure comprehensive protection.
2. Enable AV/IPS Signatures
Fortinet introduced AV/IPS (Antivirus/Intrusion Prevention System) signatures to detect and clean malicious symlinks in earlier FortiOS versions. Ensure that:
- The IPS engine is licensed, enabled, and up-to-date to effectively detect and block exploitation attempts.
3. Conduct Thorough Forensic Analysis
If a device is suspected to be compromised, perform extensive forensic analysis:
- Check for malicious symlinks in the filesystem, particularly in SSL-VPN language directories.
- Review device configuration for unauthorized changes.
- Reset all user credentials and revoke certificates to limit potential access.
4. Adhere to CERT Recommendations
CERTs, such as the German Federal Office for Information Security (BSI), recommend:
- Investigating signs of compromise across all Fortinet devices.
- Conducting forensic analysis not just on the affected devices but across the entire network to ensure no lateral movement or additional breaches have occurred.
5. Limit Administrative Access
Restrict high-privilege access to critical systems, ensuring only trusted administrators can interact with device configurations or manage the filesystem.
6. Harden Network Defense
- Segregate networks to limit device exposure to untrusted environments.
- Use secure backup solutions to restore compromised configurations without risking further exploitation.
Lessons Learned from the Symlink Exploitation
1. Patching Is Necessary but Not Sufficient
While timely application of patches is critical, thorough analysis of post-patching artifacts (e.g., symlinks) is essential to ensure complete remediation.
2. Regular Monitoring Is Key
Continuous monitoring of Fortinet devices for unusual file behavior or unauthorized symlink creation can prevent attackers from gaining persistent access.
3. Comprehensive Network Security
Symlink exploitation techniques demonstrate the importance of holistic network security approaches:
- Endpoint protection.
- Intrusion prevention systems.
- Segmentation and least-privilege access.
Final Thoughts
The symlink trick exemplifies the evolving sophistication of post-exploitation techniques targeting Fortinet devices. By leveraging symbolic links, attackers bypass traditional security measures, maintain persistence, and access sensitive data even after vulnerabilities are patched. Organizations must prioritize timely patching, proactive monitoring, and rigorous forensic investigations to mitigate risks effectively.
