Fortinet firewalls feature hard-coded password that acts as a backdoor
Just weeks after Juniper was found to be using insecure code in its products, a security issue has been found in Fortinet's FortiOS. It's a problem that affects the software in older NetScreen firewalls from Fortinet and could allow for remote access of unpatched system.
Buried in the firewall software is a hardcoded password (FGTAbc11*xy+Qqz27) that could be easily used to exploit servers running FortiOS. Ralf-Philipp Weinmann is one of the security researchers who unearthed the problem with Juniper hardware, and he has confirmed the problem which is being referred to as the FortiOS SSH Undocumented Interactive Login Vulnerability.
The SSH backdoor affects FortiGate OS Version 4.x up to 5.0.7, as detailed on Seclists.org and has been shown to be fully exploitable. The code allows for devices running older versions of FortiOS to be accessed with unauthorized SSH connections, and Fortinet has assigned a High risk rating to the issue. Weinmann tweeted to confirm the vulnerability, which he refers to as a backdoor:
FortiOS backdoor confirmed working.
— Ralf (RPW) (@esizkur) January 12, 2016
Fortinet issued a statement downplaying the issue:
This issue was resolved and a patch was made available in July 2014 as part of Fortinet¹s commitment to ensuring the quality and integrity of our codebase. This was not a "backdoor" vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external. All versions of FortiOS from 5.0.8 and later as well as FortiOS 4.3.17 and later are not impacted by this issue.
Of course, the problem still exists in hardware that has not been updated, and it's something of a matter of opinion (or semantics) if you regard it as a backdoor or a "management authentication issue". Whichever side of the fence you fall on, now is the time to ensure that you’re fully updated.
Full details of the FortiOS SSH Undocumented Interactive Login Vulnerability can be found in the Product Security Advisory Fortinet has posted.