FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
preznik_FTNT
Staff
Staff
Description

This article describes how to use a Vulnerability Scan feature in FortiClient/FortiClient EMS to detect vulnerable SolarWind’s Orion IT monitoring and management software.

For more information on this hack, see the Fortinet blog post:




Scope
  • In addition to Antivirus Signature W32/Sunburst,  providing protection against Sunburst trojan,  Fortinet released Vulnerability Scan signature 1.00229 for detecting vulnerable SolarWinds Application.

Solution

On EMS:

1. Please check that Vulnerability Scan Signatures is up to date on FortiClient and FortiClient EMS.
ems-vul-db.PNG

2. Please  enable vulnerability detection to identify any SolarWinds vulnerable endpoints. After vulnerability scan finished,  you will see discovered endpoints.

VUL-Dashboard.png
And vulnerable applications:

ems_2.PNG

It is recommended to  quarantine the endpoint so it is disconnected from network and connect it back once its cleaned/remediated.

EMS-Quarantine.png


On endpoint:

On vulnerability scan results you will be able to see path to vulnerable application:
Orion.jpg

Once identified, you can patch endpoint manually using the download link provided.
orion_link.jpg





Contributors