FortiGuard SSH backdoor found in more Fortinet security appliances

FortiSwitch, FortiAnalyzer and FortiCache were also affected

Network security vendor Fortinet has identified an authentication issue that could give remote attackers administrative control over some of its products.

The issue, which was described as a FortiGuard SSH (Secure Shell) backdoor, was originally disclosed earlier this month by an anonymous researcher, who also published exploit code for it.

Last week, Fortinet said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password. Additionally the company noted that the issue was fixed in FortiOS back in July 2014, after being identified as a security risk by the company's own product security team.

FortiOS is the operating system that runs on Fortinet's FortiGuard network firewall appliances. The versions patched in 2014 were FortiOS 4.3.17 and FortiOS 5.0.8, while the newer 5.2 and 5.4 branches have never been affected.

However, after its statement last week, the company began investigating if the same issue also exists in other products and found that some versions of FortiSwitch, FortiAnalyzer and FortiCache are also affected.

"These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS," the company said in a new blog post.

Customers are strongly advised to upgrade to the newly released FortiAnalyzer version 5.0.12 or 5.2.5, depending on which branch of the software they're using. The 4.3 branch is not affected.

FortiSwitch users should upgrade to version 3.3.3 and FortiCache users to version 3.0.8 or to the 3.1 branch, which is not affected.

The company has also provided manual workarounds for affected devices that cannot be immediately upgraded. These consist mainly of disabling SSH access to the devices and using the Web-based management interfaces instead.

"As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices," the company said. "It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access."

The company is likely trying to differentiate this problem from an SSH backdoor found recently in network firewalls from Juniper Networks, one of its competitors. In Juniper's case, the backdoor was added to the company's source code without its knowledge and remained undetected for two years. That incident is reportedly being investigated by the FBI.

Join the CSO newsletter!

Error: Please check your email address.

More about CustomersFBIFortinetJuniperSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place