Are You Safe From The Fortinet SSH Backdoor?

Are You Safe From The Fortinet SSH Backdoor?

Fortinet: It is an American multinational corporation founded in the year 2000 by brothers Ken and Michael Xie. They sell high performance network security products and services including their flagship integrated network security solution, the FortiGate firewall.

The company has admitted that much more of its product are vulnerable to an SSH backdoor that was coded- with FortiSwitch, FortiAnalyzer and FortiCache. Researchers released a Python script which enables to get administrator-level access to some of its firewall devices using hardwired logins.

Fortinet explained it was a "management authentication issue." not a backdoor as such. At the time, the firm said FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7 was the only software affected. The last version released in July 2014, and that was fully patched systems using up-to-date software would be fine.

However, that's not the case.

"Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products," said the company in a blog post.

"During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS."

Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.

Thought you were safe from the Fortinet SSH backdoor? Think again https://t.co/Rd1Lra0tC0 #CyberSecurity #InfoSec

— Cx2H (@CyberHitchhiker) January 23, 2016

Jim Clausing, a mentor with the SANS Institute, said that

"Looking at our collected SSH data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability,"

"Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned."