Pierluigi Paganini January 23, 2016

A review of all the products allowed Fortinet to discover the same SSH backdoor on some versions of its solutions.

Recently security experts reported the presence of a SSH backdoor in Fortinet firewalls, news of the day is that the company has found the same backdoor also in several new products, many of them running current software.

Fortinet used a secret authentication for FortiOS-based security appliances, but unknown experts were able to make a reverse-engineering of the code discovering the secret passphrase used to access the backdoor.

Accessing FortiOS firewalls is very easy considering also that a Python script to exploit the backdoor has been published on the Full Disclosure mailing list as a proof of concept code. Running the script against a vulnerable Forti-OS firewall the attacker will gain administrator-level command-line access to the device.

Fortinet officials promptly clarified that the SSH backdoor affected only older versions of Fortinet FortiOS software.

This week Fortinet has published a new blog post, to provide an update on the case of the SSH backdoor. According to the company a review of its solution allowed to discover that the backdoor still affects several current company products, including some versions of FortiAnalyzer, FortiCache, and FortiSwitch devices.

“During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache.  These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS. As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access.” states Fortinet.

“In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using the following products update their systems with the highest priority:

• FortiAnalyzer: 5.0.0 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
• FortiSwitch: 3.3.0 to 3.3.2
• FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
• FortiOS 4.1.0 to 4.1.10
• FortiOS 4.2.0 to 4.2.15
• FortiOS 4.3.0 to 4.3.16
• FortiOS 5.0.0 to 5.0.7

The discovery of the SSH backdoor in the Fortinet appliance follows the disconcerting discovery of “unauthorized code” in Juniper firewalls could be exploited by attackers to decrypt VPN traffic.

Pierluigi Paganini

(Security Affairs – Fortinet SSH Backdoor, hacking)