Fortinet Finds More SSH BackdoorsHardcoded Backdoors Being Probed From China, Experts Warn
Networking and security equipment vendor Fortinet, based in Sunnyvale, Calif., warns that its practice of including a hardcoded password in some of its products - designed to make them easier to manage - is much more extensive than it first believed (see Fortinet Refutes SSH 'Backdoor' Report). The alert comes as security experts report that attackers have been actively targeting the hardcoded password via SSH to gain full, remote access to vulnerable devices.
Earlier this month, a security researcher warned that he'd found a backdoor in the FortiOS firmware, which could be used to remotely authenticate to vulnerable devices. Fortinet confirmed the flaw, but said it had been publicly identified and patched in July 2014, and that it related to a feature that was designed to make its devices easier to manage. Nevertheless, on Jan. 13, the U.S. Computer Emergency Response Team immediately issued a related alert for the vulnerability, classifying it as a "high severity" flaw.
But Fortinet is now warning that multiple versions of its FortiSwitch, FortiAnalyzer and FortiCache products also have a hardcoded password. "On vulnerable versions, and provided 'Administrative Access' is enabled for SSH, this account can be used to log in via SSH in interactive-keyboard mode, using a password shared across all devices," Fortinet notes in an updated security alert. "It gives access to a CLI [command-line interface] console with administrative rights."
The company has released updates that patch the flaw for all affected devices:
- FortiAnalyzer: 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
- FortiSwitch: 3.3.0 to 3.3.2
- FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
- FortiOS 4.1.0 to 4.1.10
- FortiOS 4.2.0 to 4.2.15
- FortiOS 4.3.0 to 4.3.16
- FortiOS 5.0.0 to 5.0.7
Fortinet is advising customers to "update their systems with the highest priority." To Fortinet's credit, the manufacturer's fixes also address the flaw in "legacy and end-of-life products" that it no longer officially supports.
China Launches Probes
The existence of the backdoors across Fortinet's product line isn't just an academic concern. On Jan. 9, a proof-of-concept exploit - written in Python script - to obtain access to vulnerable devices that run FortiOS was posted to the Full Disclosure mailing list, and related probes for the vulnerability are already underway. That information comes thanks to the SANS Institute having recently launched a new effort to catalog and collect logs showing SSH brute-force password access attempts, as well as attempts to access devices using hardcoded backdoor passwords.
"Looking at our collected SSH data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability," says Jim Clausing, a technical consultant for network security at AT&T, who's also an incident handler for the SANS Institute, in a Jan. 21 blog post.
He recommends that all vulnerable Fortinet devices be screened using firewalls and access-control lists. "Nearly all of this scanning has come from two IPs in China," he says. "So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to SSH from only specific management IPs, you have probably already been scanned and possibly pwned."
Internal Code Review Belatedly Finds Problems
Meanwhile, Fortinet says that the vulnerabilities don't count as a backdoor, since the code wasn't inserted for malicious purposes. "As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices," the company says in a related blog post. "It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access."
But many security experts, including Robert Graham, who heads research firm Errata Security, note that intentionality doesn't count when it comes to backdoors, since would-be attackers can still make use of them.
...we've been calling hard-coded passwords "backdoors" for decades, even though their intent was usually benign (eg. debugging)— Rob Graham ""ï¸ (@ErrataRob) January 13, 2016
Fortinet's new hardcoded password warnings also raise questions about the efficacy of its internal code-review processes. Notably, Fortinet says it found the hardcoded passwords in the three other product lines after the company's product security incident response team, together with its engineering and quality-assurance teams, "undertook an additional review of all of our Fortinet products." That review was launched after the Jan. 9 post to the Full Disclosure mailing list, which warned that there was an "SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7," which the company confirmed and - as noted - was patched in 2014.
"During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache," Fortinet says. "These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS." And Fortinet says that it regularly employs "multiple tiers of inspection, internal and third-party audits and automated triggers and tools across the entire development of our source code" to help root out flaws and vulnerabilities.
Yet the company didn't find the old flaws in the other three product lines until this month, after the Full Disclosure warning. This raises the question: Why didn't Fortinet's multiple tiers of inspection flag those flaws back in 2014?
Life After Juniper Backdoors
That's a pertinent question, following last month's revelations that the NetScreen OS that runs the NetScreen devices sold by U.S. networking giant Juniper appeared to have been backdoored (see Who Backdoored Juniper's Code?). Security experts say that there were three separate backdoors in the Juniper code, inserted by up to three different intelligence agencies. In response, some networking vendors launched deep-dive reviews of their code, looking for signs of tampering or any other unauthorized changes.
To date, Fortinet, as well as Alcatel-Lucent, Brocade, Cisco and Palo Alto Networks have confirmed to Information Security Media Group either that they've been reviewing their code base for signs of tampering in the wake of the Juniper report, or else that they have related processes already in place that are designed to spot such tampering.
But eight other major networking vendors - including Check Point Software Technologies, HP, Huawei and IBM - have yet to respond with details about how they're reacting after the Juniper backdoor revelations, despite repeated requests for comment (see Cisco Reviews Code After Juniper Backdoor Found).