Thought you were safe from the Fortinet SSH backdoor? Think again

More devices are dodgy and hackers are cruising for targets


Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable.

Last week, a Python script emerged that could allow anyone to get administrator-level access to some of Fortinet's firewall devices using hardwired logins. Fortinet explained that this wasn't a backdoor as such, but a "management authentication issue."

At the time, the firm said equipment using FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7 were affected. The last of these builds was released in July 2014, and that fully patched systems using up-to-date software would be fine.

However, that's not the full story.

"Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products," said the company in a blog post.

"During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS."

Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.

In all cases, the problem can be sorted by updating to the latest firmware builds. Don't delay – hackers are closing in on the backdoor management authentication issue.

"Looking at our collected SSH data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability," said Jim Clausing, a mentor with the SANS Institute.

"Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned." ®


Other stories you might like

  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Watch out for phishing emails that inject spyware trio
    You wait for one infection and then three come along at once

    An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information.

    Researchers with Fortinet's FortiGuard Labs threat intelligence unit have been tracking this mailspam campaign since May, outlining how three remote access trojans (RATs) are fired into the system once the attached file is opened in Excel. From there, the malicious code will not only steal information, but can also remotely control aspects of the PC.

    The first of the three pieces of malware is AveMariaRAT (also known as Warzone RAT), followed by Pandora hVCN RAT and BitRAT.

    Continue reading
  • Fortinet's latest firewall is like your kids' music – you're probably not ready for it, yet
    Unless you happen to be in healthcare or finance or using AI on personal info or...

    Firewalls play a significant role in securing today's datacenters, but the technology must evolve if it's to remain relevant, Fortinet VP of product Nirav Shah told The Register.

    Enterprise datacenters are changing. Workloads don't just run on-prem – increasingly they're being deployed across multiple datacenters and clouds, he said. In line with these trends, the amount of traffic not only moving in and out of the datacenter — north-south traffic — but across the datacenter — east-west traffic — is increasing exponentially, driving operators toward higher-performance interfaces.

    Dell'Oro Group expects shipments of 200Gbit/sec to 400Gbit/sec switches to more than double this year alone – driven in large part by AI and other bandwidth-hungry applications.

    Continue reading
  • Interpol: We can't arrest our way out of cybercrime
    Especially when gangs are better funded than local police

    As cybercriminals become more sophisticated and their attacks more destructive and costly, private security firms and law enforcement need to work together, according to Interpol's Doug Witschi.

    It's tough to argue with either of these two statements. But considering the constant barrage of ransomware-attack headlines, as well as politicians' calls for more public-private threat intelligence sharing, they both begin to sound a bit hollow.

    Witschi, the assistant director for cybercrime threat response and operations at Interpol, told The Register about recent successes that the agency's Gateway cyber-threat intel sharing project has had, and the increasingly well-funded, targeted attacks that law enforcement agencies are trying to prevent. 

    Continue reading
  • Data-wiper malware strains surge as Ukraine battles ongoing invasion
    Besides files being erased, another thing being deleted: Any sense this is a coincidence

    Security researchers have detailed six significant strains of data-wiping malware that have emerged in just the first quarter of 2022, a huge surge over previous years.

    This increase coincides with the invasion of Ukraine, and all of these wipers have been used against that state's infrastructure and organizations. One of the wipers also took wind turbines in Germany offline, satellite communication modems in Ukraine seemingly being the primary target in this specific attack.

    "Although these haven't been officially attributed to Russian state-sponsored threat actors, their goals align with the Russian military's," wrote Fortinet security researcher Gergely Revay in a deep dive into the data-destroying malware as a whole. "It is widely theorized that these cyberattacks are intentionally being launched in concert with the invasion."

    Continue reading
  • Enemybot botnet uses Gafgyt source code with a sprinkling of Mirai
    Keksec malware used for DDoS attacks, may spread to cryptomining, Fortinet says

    A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

    The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet's FortiGuard Labs team.

    Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

    Continue reading
  • Fortinet says it’s all about the security ASICs
    Xie claims his custom chips lower infosec computing costs by up to 10x

    As security and networking converge, Fortinet CEO Ken Xie believes the company he co-founded will win this particular $200bn market with its custom application-specific ICs, or ASIC chips.

    "On day one, 22 years ago, we leveraged ASIC technology to lower computing costs, increase computing power, and also add additional performance and more function," Xie said, speaking at the Morgan Stanley Technology, Media and Telecom conference this week.

    Using its custom ASICs to accelerate security and networking tasks lowers customers' security computing costs by as much as 10x compared to using CPUs, he claimed. This becomes even more important as multi-cloud, 5G with 6G on the horizon, and the convergence of IT and operational technology environments expand, while an onslaught of traffic from applications, users, and devices put greater demands on network equipment and defenses.

    Continue reading
  • Researchers find high-severity command injection vuln in Fortinet's web app firewall
    Mitigation: Don't let randomers from the internet log in to your firewall

    Updated A command injection vulnerability exists in Fortinet's management interface for its FortiWeb web app firewall, according to infosec firm Rapid7.

    An authenticated attacker can use the vuln to execute commands as root on the Fortiweb device, Rapid7 said in a blog post.

    By using backticks "in the 'name' field of the SAML Server configuration page," attackers can bypass controls – though obtaining access to the firewall itself first can be a non-trivial obstacle for attackers to overcome. Nonetheless, the vuln is rated 8.7 on the CVSSv3 scale.

    Continue reading
  • Fortinet's security appliances hit by remote code execution vulnerability
    Cure worse than the disease for anyone with the 'fgfmsd' daemon activated

    Security appliance slinger Fortinet has warned of a critical vulnerability in its software that can be exploited to grant unauthenticated attackers full control over a targeted system, providing a particular daemon is enabled.

    The flaw, discovered by Orange Group security researcher Cyrille Chatras and sent to Fortinet privately for responsible disclosure, lies in FortiManager and FortiAnalyzer's fgfmsd daemon, which if running and vulnerable can be exploited over the network.

    "A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device," the vendor warned customers.

    Continue reading

Biting the hand that feeds IT © 1998–2022