FortiGuard SSH Backdoor Found In More Fortinet Security Appliances

itwbennett writes: Earlier this month, an SSH backdoor was identified in Fortinet firewall appliances. Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password. Now, it has found that the same issue also exists in some versions of FortiSwitch, FortiAnalyzer and FortiCache. They said, "In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using [those] products update their systems with the highest priority."

Re:license

[TWX]

You ever try to deal with the legal department of a large company?

First they ignore you. They do this for quite some time. Quite some time being months to years.

If they eventually do respond, they don't know what you're talking about.

If you keep pestering then eventually they call officers for the company for whom they represent. Those officers, knowing nothing themselves, tell the lawyers that there is no problem, which is what they tell you.

If you still keep pestering eventually the bill that the company receives starts attracting attention and the officer is asked by someone else what's going on, and that officer then gets annoyed and may start asking his department heads. They don't know either, so eventually due to managerial badgering they start asking their subordinates.

If the subordinates find anything then it gets forwarded back through the section manager to the officer to the lawyer, being revised at each stage by the management layer. Your response from the lawyer is BS. Eventually your back and forth with the lawyer casues the company to finally ask for original reports from the employee to be sent to the lawyer, at which time they look at the actual issues and compare it to their knowledge of the law to now start looking for a way to form a defense.

Then it finally starts to get somewhere, if you can afford these legal proceedings.

The legal case involving SCO took something like a decade to essentially resolve, and there are still loose strings to tie-up. In the end it'll probably be twenty years before it's completely done and buried. That was with a company that wasn't healthy financially, that was grasping at straws to find any way it could to survive, how ever underhanded, and with actual companies on the other side that could afford their own extensive legal teams to do battle.

You as a person do not really stand a chance in these circumstances. Even if you do get an entity like the EFF to take the case for you it'll still take a decade to get somewhere.

Re:

[Agripa]

This is why you either start by enforcing the license through legal means or immediately after the company first dissembles. If legal means to enforce the license are unavailable for whatever reason, then just publicize the violation and move on.

Re:

[hawguy]

IANAL

I'm not sure if the licenses of openssh/dropbear ssh/libssh/libssh/... allow this, if they do,
I think it's time for someone to hardcode some ssh configuration and publish it with some fucking restrictive license so that no one can tamper with the code legally, so he can buttfuck the fucking companies that do this shit..

You're not sure if they allow what? Hardcoded user passwords? Why wouldn't they? The password is outside of the responsibility of the OpenSSH server, I would hope that the OpenSSH license doesn't dictate system management practices - if a company wants to do something stupid, OpenSSH shouldn't prevent them from doing so. I don't know about the other opensource implementations, but putting any sort of restrictive license on OpenSSH would be a major shift [openbsd.org] in its licensing and would just shift manufacturers to

Curious?

[mitcheli]

Why is it that all the security product manufacturers seem to have hard coded passwords in their products?

Re:

[Anonymous Coward]

Because they know their customers want a Network Security Appliance with No Strings Attached?

Re:

[silas_moeckel]

Because like most of IT it's moved from doing stuff to vendor management. AKA call somebody and make it work.

Security + Backdoor?

[BoRegardless]

= Legal Liability!

Re:

[w1zz4]

I think they mean not business Intentional. An, or a small groupe of, person(s) in the company decided it would be a great idea to incorporate a hard coded account. Btw, I don't believe it but this is their line since this have been discovered

What the hell?

[gstoddart]

Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password

Dear god, this company makes security products???

This is so crazy stupid it isn't even funny.

It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.

This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.

Re:

[110010001000]

Well, yea, but it was a *really tough* backdoor password. You never would have guessed it. I use the same password on my luggage and no one has guessed it yet!

Re:

[TWX]

You two are arguing semantics at this point. His citation that this is the very definition of a backdoor is probably meant to illustrate that this thing in all cases in which it is found is a backdoor. There is no case for which this isn't a backdoor.

From a language point-of-view, since dictionaries often list multiple definitions for a word or expression, this set of circumstances undoubtedly matches one definition exactly, even if other definitions for the term exist as variations on a theme.

Re:

[myowntrueself]

Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password

Dear god, this company makes security products???

This is so crazy stupid it isn't even funny.

It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.

This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.

The funny thing about their excuse is that the hard coded password was disguised so as to be hard to detect when looking at a dump of the code; its disguised as a piece of debugging code.

Its not just a hard coded password, its deliberately concealed and obfuscated; someone put some thought and attention to detail into this.

Re: What the hell?

[bill_mcgonigle]

Yet, the released "fix" still has the same hard-coded string in it. There's been speculation that they just added port-knocking.

The company is effectively dead to anybody doing real security. If they got an RSA-style payment, I wonder who's liable to the shareholders.

Re:

[nnull]

You think that's bad, you should see all of Siemens products. With all their backdoors, they've now included a web interface as a backdoor with their brilliant new designs! Enjoy!

class action lawsuit?

[NotQuiteReal]

Sounds like this product was intentionally unfit for the its stated purpose.

Normally class action lawsuits are BS, but in this case, the company deserves it.

Name backdoors by the CEOs

[Anonymous Coward]

I think we should name the backdoors by the CEOs because after all they are responsible for it.
Consequently this it the "Ken Xie" Fortinet Backdoor.

It should not be enough to just rebrand the company. If this does not end in a serious restructuring then no lesson has been learned.

One codebase, many "products"

[swb]

This doesn't seem surprising. I'd wager that most of these products use the same code base, with various features enabled/available depending on what underlying hardware they run on.

The lesson...

[Junta]

Is to not use 'appliances' in any remotely potentially secure application. Vendors have shown time and time again they are just as susceptible to screwing up as a common administrator. The difference being that a common administrator screwing up may be in a unique way not known by many, while a vendor cock up will be well known and land in some exploit kit.

As a rule, don't put any appliance or firmware internet facing if you care about the security.

Cisco Security

[Jeffbezos11]

Fortigate firewall is Fortinet's security podium flagship. The Fortigate systems measure to fit a home office up to big enterprises. Fortigates deal multi-threat reaction, a constantly updated hazard analysis, and real-time defense beside any threat to your network. Unlike most firewalls which are partial in providing essential functions, Fortinet systems offer the major suite of security technologies. pass4sure 200-120 dumps [pass4sureusa.com]