Enterprise security vendor Fortinet has attempted to explain why its FortiOS firewalls were shipped with hardcoded SSH logins.
It appears Fortinet's engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. This code was reverse-engineered by persons unknown, and a Python script to exploit the hole emerged on the Full Disclosure mailing list this week.
Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.
"This issue was resolved and a patch was made available in July 2014 as part of Fortinet's commitment to ensuring the quality and integrity of our codebase," a spokeswoman told El Reg.
"This was not a 'backdoor' vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."
In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it's certainly possible that some slack IT admins haven't updated the software since then.
It's also possible that even if they did update in a timely fashion, their devices could have been breached before the fix was issued.
The login method is used by FortiManager, a tool for controlling any number of Fortinet devices from a central system.
If you are running older code and can't upgrade, the firewall maker suggests a couple of workarounds. Managers can disable admin access via SSH and use the web interface instead, or the console browser applet for command-line access. If you really need SSH access, then version 5.x can restrict access to SSH to a minimal set of authorized IP addresses.
Whether you call it a backdoor or a "management authentication issue," it's still a pretty major issue for some sysadmins, and they are unlikely to be happy about the news.
One significant part of Fortinet's statement was the assertion that this didn’t come from an external party. Ever since the Juniper backdooring security vendors have been at pains to avoid any suggestion that they are allowing intelligence agencies access to their products.
In the meantime, if you are using FortiOS then make sure the fimrware is up to date. The news of this hole will have the malicious hacking community aflutter and many are no doubt already scanning for vulnerable targets. ®