Someone Just Leaked a Hard-Coded SSH Password Backdoor in Fortinet Firewalls
Are millions of enterprise users, who rely on the next-generation firewalls for protection, actually protected from hackers?
Probably Not.
Just less than a month after an unauthorized backdoor found in Juniper Networks firewalls, an anonymous security researcher has discovered highly suspicious code in FortiOS firewalls from enterprise security vendor Fortinet.
According to the leaked information, FortiOS operating system, deployed on Fortinet’s FortiGate firewall networking equipment, includes an SSH backdoor that can be used to access its firewall equipment.

Anyone can Access FortiOS SSH Backdoor

Anyone with “Fortimanager_Access” username and a hashed version of the “FGTAbc11*xy+Qqz27” password string, which is hard coded into the firewall, can login into Fortinet’s FortiGate firewall networking equipment.
However, according to the company’s product details, this SSH user is created for challenge-and-response authentication routine for logging into Fortinet’s servers with the secure shell (SSH) protocol.
This issue affected all FortiOS versions from 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7, which cover FortiOS builds from between November 2012 and July 2014.

Proof-of-Concept Exploit Code is Available Online

The issue was recently reported by an anonymous user (operator8203@runbox.com), who posted the exploit code on the Full Disclosure mailing list this week, helping wannabe hackers generate the backdoor’s dynamic password.
System administrators can also make use of this exploit code to automate their testing process in an effort to find out whether they have any vulnerable FortiGuard network equipment laying around.
A Twitter user also shared a screenshot purporting to show someone gained remote access to a server running FortiOS using the exploit code.
Someone Just Leaked Hard-Coded Password Backdoor for Fortinet Firewalls
The most important fact to be noted here is anyone using this backdoor account doesn’t appear in the device’s access logs, as the backdoor might be tied to its FortiManager maintenance platform.
Also, there is less chance with professional sysadmins to expose their SSH port online, but this backdoor account can still be exploited by attackers with access to the local network or a virtual LAN, by infecting an organization’s computer.

Fortinet Response on the Issue

Fortinet, on its part, attempted to explain why its products were shipped with hard coded SSH logins. According to the company, its internal team fixed this critical security bug (CVE-2014-2216) in version 5.2.3 back in July 2014, without releasing any advisory.
However, Few Hours ago, Fortinet has finally published a security advisory and an official blog post regarding the incident, saying:

“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts.”

Original Post: http://thehackernews.com/2016/01/fortinet-firewall-password-hack.html

Advertisements