Thought you were safe from the Fortinet SSH backdoor? Think again

More devices are dodgy and hackers are cruising for targets

Sat 23 Jan 2016 // 00:32 UTC

Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable.

Last week, a Python script emerged that could allow anyone to get administrator-level access to some of Fortinet's firewall devices using hardwired logins. Fortinet explained that this wasn't a backdoor as such, but a "management authentication issue."

At the time, the firm said equipment using FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7 were affected. The last of these builds was released in July 2014, and that fully patched systems using up-to-date software would be fine.

However, that's not the full story.

"Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products," said the company in a blog post.

"During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS."

Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.

In all cases, the problem can be sorted by updating to the latest firmware builds. Don't delay – hackers are closing in on the backdoor management authentication issue.

"Looking at our collected SSH data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability," said Jim Clausing, a mentor with the SANS Institute.

"Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned." ®

Topics

Special Features

Vendor Voice

Resources

Security

Thought you were safe from the Fortinet SSH backdoor? Think again

More devices are dodgy and hackers are cruising for targets

More about

More about

More about

More about

More about

TIP US OFF

Other stories you might like

Microsoft squashes SmartScreen security bypass bug exploited in the wild

More than 133,000 Fortinet appliances still vulnerable to month-old critical bug

Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim

A different view from the edge

Double trouble for Fortinet as it issues critical FortiSIEM vulns

Fortinet squashes hijack-my-VPN bug in FortiOS gear

You've patched right? '340K+ Fortinet firewalls' wide open to critical security bug

Fortinet's latest firewall promises hyperscale security while sipping power

A (cautionary) tale of two patched bugs, both exploited in the wild

Fortinet's latest ASIC promises 2.5Gbps of SSL inspection at the edge

Microsoft: Patch this severe Outlook bug that Russian miscreants exploited

Fortinet's cloud firewall ditches custom ASICs for Amazon's Graviton CPUs

About Us

Our Websites

Your Privacy