Fortinet SSH Backdoor Found In Firewalls

The New Acunetix V12 Engine


So the Fortinet SSH Backdoor, apparently it’s just a management authentication issue. Sorry, what’s that? It looks like a passphrase based admin level access login via SSH to me personally.

Which is scary.

Fortinet SSH Backdoor Found In Firewalls

They are adamantly shouting from rooftops that it was not planted by a 3rd party (NSA? Like Juniper..) or any kind of malicious activity.

Enterprise security vendor Fortinet has attempted to explain why its FortiOS firewalls were shipped with hardcoded SSH logins.

It appears Fortinet’s engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. This code was reverse-engineered by persons unknown, and a Python script to exploit the hole emerged on the Full Disclosure mailing list this week.

Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.

“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.

“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.


It was actually patched by Fortinet in July 2014, but with edge devices like Firewalls – they don’t often get updated as it usually causes network downtime. So I’d guess there are plenty of firewalls out there very vulnerable to this, which basically gives you full admin access.

You can find the ‘exploit’ script in Python here: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

It’s also possible that even if they did update in a timely fashion, their devices could have been breached before the fix was issued.

The login method is used by FortiManager, a tool for controlling any number of Fortinet devices from a central system.

If you are running older code and can’t upgrade, the firewall maker suggests a couple of workarounds. Managers can disable admin access via SSH and use the web interface instead, or the console browser applet for command-line access. If you really need SSH access, then version 5.x can restrict access to SSH to a minimal set of authorized IP addresses.

Whether you call it a backdoor or a “management authentication issue,” it’s still a pretty major issue for some sysadmins, and they are unlikely to be happy about the news.

One significant part of Fortinet’s statement was the assertion that this didn’t come from an external party. Ever since the Juniper backdooring security vendors have been at pains to avoid any suggestion that they are allowing intelligence agencies access to their products.

In the meantime, if you are using FortiOS then make sure the fimrware is up to date. The news of this hole will have the malicious hacking community aflutter and many are no doubt already scanning for vulnerable targets.

There are some work arounds, what I’d personally like to see though is more transparency about the process and decisions made that led to this code being on production firewalls. How does this even happen?

And how did they only find it during scheduled review and testing? What kind of testing/QA/CI process do they have?

It all sounds rather fishy to me.

Source: The Register

Posted in: Exploits/Vulnerabilities, Networking Hacking


Latest Posts:


CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.
Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.


Comments are closed.