Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Networking

FortiGuard SSH Backdoor Found In More Fortinet Security Appliances (fortinet.com) 41

itwbennett writes: Earlier this month, an SSH backdoor was identified in Fortinet firewall appliances. Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password. Now, it has found that the same issue also exists in some versions of FortiSwitch, FortiAnalyzer and FortiCache. They said, "In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using [those] products update their systems with the highest priority."
This discussion has been archived. No new comments can be posted.

FortiGuard SSH Backdoor Found In More Fortinet Security Appliances

Comments Filter:
  • by mitcheli ( 894743 ) on Monday January 25, 2016 @11:08AM (#51366137)
    Why is it that all the security product manufacturers seem to have hard coded passwords in their products?
    • Re: (Score:3, Funny)

      by Anonymous Coward

      Because they know their customers want a Network Security Appliance with No Strings Attached?

    • Because like most of IT it's moved from doing stuff to vendor management. AKA call somebody and make it work.

  • = Legal Liability!

  • What the hell? (Score:5, Insightful)

    by gstoddart ( 321705 ) on Monday January 25, 2016 @11:11AM (#51366159) Homepage

    Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password

    Dear god, this company makes security products???

    This is so crazy stupid it isn't even funny.

    It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.

    This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.

    • Well, yea, but it was a *really tough* backdoor password. You never would have guessed it. I use the same password on my luggage and no one has guessed it yet!
    • Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password

      Dear god, this company makes security products???

      This is so crazy stupid it isn't even funny.

      It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.

      This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.

      The funny thing about their excuse is that the hard coded password was disguised so as to be hard to detect when looking at a dump of the code; its disguised as a piece of debugging code.

      Its not just a hard coded password, its deliberately concealed and obfuscated; someone put some thought and attention to detail into this.

      • Yet, the released "fix" still has the same hard-coded string in it. There's been speculation that they just added port-knocking.

        The company is effectively dead to anybody doing real security. If they got an RSA-style payment, I wonder who's liable to the shareholders.

    • by nnull ( 1148259 )
      You think that's bad, you should see all of Siemens products. With all their backdoors, they've now included a web interface as a backdoor with their brilliant new designs! Enjoy!
  • Sounds like this product was intentionally unfit for the its stated purpose.

    Normally class action lawsuits are BS, but in this case, the company deserves it.
  • by Anonymous Coward

    I think we should name the backdoors by the CEOs because after all they are responsible for it.
    Consequently this it the "Ken Xie" Fortinet Backdoor.

    It should not be enough to just rebrand the company. If this does not end in a serious restructuring then no lesson has been learned.

  • This doesn't seem surprising. I'd wager that most of these products use the same code base, with various features enabled/available depending on what underlying hardware they run on.

  • Is to not use 'appliances' in any remotely potentially secure application. Vendors have shown time and time again they are just as susceptible to screwing up as a common administrator. The difference being that a common administrator screwing up may be in a unique way not known by many, while a vendor cock up will be well known and land in some exploit kit.

    As a rule, don't put any appliance or firmware internet facing if you care about the security.

  • Fortigate firewall is Fortinet's security podium flagship. The Fortigate systems measure to fit a home office up to big enterprises. Fortigates deal multi-threat reaction, a constantly updated hazard analysis, and real-time defense beside any threat to your network. Unlike most firewalls which are partial in providing essential functions, Fortinet systems offer the major suite of security technologies. pass4sure 200-120 dumps [pass4sureusa.com]

If it wasn't for Newton, we wouldn't have to eat bruised apples.

Working...