Fortinet SSH Backdoor Found In Firewalls


So the Fortinet SSH Backdoor, apparently it’s just a management authentication issue. Sorry, what’s that? It looks like a passphrase based admin level access login via SSH to me personally.

Which is scary.

Fortinet SSH Backdoor Found In Firewalls

They are adamantly shouting from rooftops that it was not planted by a 3rd party (NSA? Like Juniper..) or any kind of malicious activity.

Enterprise security vendor Fortinet has attempted to explain why its FortiOS firewalls were shipped with hardcoded SSH logins.

It appears Fortinet’s engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. This code was reverse-engineered by persons unknown, and a Python script to exploit the hole emerged on the Full Disclosure mailing list this week.

Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.

“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.

“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.


It was actually patched by Fortinet in July 2014, but with edge devices like Firewalls – they don’t often get updated as it usually causes network downtime. So I’d guess there are plenty of firewalls out there very vulnerable to this, which basically gives you full admin access.

You can find the ‘exploit’ script in Python here: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

It’s also possible that even if they did update in a timely fashion, their devices could have been breached before the fix was issued.

The login method is used by FortiManager, a tool for controlling any number of Fortinet devices from a central system.

If you are running older code and can’t upgrade, the firewall maker suggests a couple of workarounds. Managers can disable admin access via SSH and use the web interface instead, or the console browser applet for command-line access. If you really need SSH access, then version 5.x can restrict access to SSH to a minimal set of authorized IP addresses.

Whether you call it a backdoor or a “management authentication issue,” it’s still a pretty major issue for some sysadmins, and they are unlikely to be happy about the news.

One significant part of Fortinet’s statement was the assertion that this didn’t come from an external party. Ever since the Juniper backdooring security vendors have been at pains to avoid any suggestion that they are allowing intelligence agencies access to their products.

In the meantime, if you are using FortiOS then make sure the fimrware is up to date. The news of this hole will have the malicious hacking community aflutter and many are no doubt already scanning for vulnerable targets.

There are some work arounds, what I’d personally like to see though is more transparency about the process and decisions made that led to this code being on production firewalls. How does this even happen?

And how did they only find it during scheduled review and testing? What kind of testing/QA/CI process do they have?

It all sounds rather fishy to me.

Source: The Register

Posted in: Exploits/Vulnerabilities, Networking Hacking


Latest Posts:


LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.
Stardox - Github Stargazers Information Gathering Tool Stardox – Github Stargazers Information Gathering Tool
Stardox is a Python-based GitHub stargazers information gathering tool, it scrapes Github for information and displays them in a list tree view.
ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.


Comments are closed.