Fortinet Identifies Further Products Vulnerable to FortiGuard SSH Backdoor
products, which could be used to gain administrative control of certain devices. The backdoor existed in the FortiOS operating system in versions 4.x up to 5.0.7.
The FortiGuard SSH (Secure Shell) backdoor had not been intentionally added, instead it was a flaw in its management system which used an undocumented account and hard-coded password. Fortinet reports that the flaw was due to “A feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices.” This was therefore different to the security issues with Juniper Networks devices that had a backdoor inserted by a malicious actor.
While an independent researcher discovered the flaw, Fortinet said that its own security team had identified the problem and patched it in 2014. FortiOS 4.3.17 and FortiOS 5.0.8 were patched in 2014, and all products running FortiOS versions 5.2 or 5.4 were not vulnerable to the exploit.
While the issue appeared to have been addressed, the publication of the exploit prompted Fortinet to investigate other products to determine whether they too were vulnerable. This week, Fortinet has announced that in addition to some of its FortiGuard firewalls, some of its FortiAnalyzer, FortiCache, and FortiSwitch products are also affected if they are running the vulnerable FortiOS versions.
Since the exploit has been published, it is important for all customers to ensure their Fortinet products are running the latest versions of software.
The vulnerability is not present in FortiAnalyzer 4.3, although an upgrade is required to FortiAnalyzer 5.0.12 or 5.2.5 by users running other versions. FortiCache should be upgraded to version 3.0.8 or 3.1, while FortiSwitch should be upgraded to version 3.3.3.
If it is not possible to perform the upgrade, it is possible to protect against the exploit by disabling SSH access to the devices. Once that has been done, users will be able to use web-based management interfaces instead.