The Fortinet SSH backdoor found in many other products

A review of all the products allowed Fortinet to discover the same SSH backdoor on some versions of its solutions.

Recently security experts reported the presence of a SSH backdoor in Fortinet firewalls, news of the day is that the company has found the same backdoor also in several new products, many of them running current software.

Fortinet used a secret authentication for FortiOS-based security appliances, but unknown experts were able to make a reverse-engineering of the code discovering the secret passphrase used to access the backdoor.

Clearly the company tried to downgrade the issues, defining the code a “management authentication issue,” instead the term SSH backdoor.

Accessing FortiOS firewalls is very easy considering also that a Python script to exploit the backdoor has been published on the Full Disclosure mailing list as a proof of concept code. Running the script against a vulnerable Forti-OS firewall the attacker will gain administrator-level command-line access to the device.

Fortinet officials promptly clarified that the SSH backdoor affected only older versions of Fortinet FortiOS software.

This week Fortinet has published a new blog post, to provide an update on the case of the SSH backdoor. According to the company a review of its solution allowed to discover that the backdoor still affects several current company products, including some versions of FortiAnalyzer, FortiCache, and FortiSwitch devices.

“During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS. As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access.” states Fortinet.

“In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using the following products update their systems with the highest priority:

FortiAnalyzer: 5.0.0 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
FortiSwitch: 3.3.0 to 3.3.2
FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
FortiOS 4.1.0 to 4.1.10
FortiOS 4.2.0 to 4.2.15
FortiOS 4.3.0 to 4.3.16
FortiOS 5.0.0 to 5.0.7

The discovery of the SSH backdoor in the Fortinet appliance follows the disconcerting discovery of “unauthorized code” in Juniper firewalls could be exploited by attackers to decrypt VPN traffic.

Pierluigi Paganini

(Security Affairs – Fortinet SSH Backdoor, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.