SSH Backdoor Found In Fortinet Firewalls

An anonymous reader writes: The IT community was shaken a few weeks ago when Juniper Networks firewalls were found to contain "unauthorized code" that seemed to enable a backdoor. Now, Fortinet firewalls have been found to contain an apparent SSH backdoor as well. "According to the exploit code, the undisclosed authentication works on versions 4.3 up to 5.0.7. If correct, the surreptitious access method was active in FortiOS versions current in the 2013 and 2014 time frame and possibly earlier, based on this rough release history. The weakness was eventually patched, but so far, researchers have been unable to locate a security advisory that disclosed the alternative authentication method or the hard-coded password." A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

That's why I build my own firewalls

I do all the soldering, everything. The walls are tall and fortified.

Re:That's why I build my own firewalls

And Mexico paid for it..... Yea, we know...

At least they came out and said it

[fsckinhippies]

So did Juniper. Wonder when we hear from sonicwall. I won't hold my breath.

Re:At least they came out and said it

[The-Ixian]

Maybe when sonicwall was sonicwall... maybe....

But now that they are Dell owned? No chance.... Dell has acquired so much so fast that they don't have any idea what they even have....

Re:At least they came out and said it

when Juniper Networks firewalls were found to contain

You mean when NETSCREEN firewalls were found. Juniper purchased Netscreen a while back, and those piles of trash are already end of life. Juniper's own firewall product line is the SRX which was completely unaffected, as it runs an entirely different code base.

when we hear from sonicwall. I won't hold my breath.

That's probably a good idea, I've had indirect dealings with that company and I can say that not only does their product suck, their support is horrifically bad as well. Not quite as badly as Barracuda, but damn close.

Re:At least they came out and said it

[fsckinhippies]

Good to know. I haven't really followed Juniper. we are a large Cisco reseller. Barracuda has come a long way, still miles from what I would consider quality support, but they have to start somewhere.

Re:At least they came out and said it

[fsckinhippies]

Dell = Screwed over. Not that sonicwall was "ever" a good product.

Re:At least they came out and said it

[cheater512]

They haven't admitted they had a backdoor.
They've only admitted they had a 'management authentication issue'.

Just like many companies are coming under 'advanced persistent threat' attacks.
They aren't filled with idiots who click Important Document.doc.exe from random emails. Course not!
The attack has 'advanced' in the title!

Re:At least they came out and said it

[fsckinhippies]

Advanced for fortinet would just be an understanding of email.

Re:At least they came out and said it

[dreamchaser]

Unfortunately SRXs also suck harder than a whore at Mardis Gras.

Re:At least they came out and said it

>> when Juniper Networks firewalls were found to contain

>You mean when NETSCREEN firewalls were found. Juniper purchased Netscreen a while back, and those piles of trash are already end of life. Juniper's own firewall product line is the SRX which was completely unaffected, as it runs an entirely different code base.

Yeah, right.. Netscreen was acquired by Juniper in 2004 and the version where the backdoor was introduced was in 2012. That was pure Juniper, on a product that they sold a ton of into enterprise customers -- a market their SRX never has and never will make a dent in. It's good that no JunOS backdoors are known, but that doesn't decrease their negligence on the ScreenOS products.

Re:At least they came out and said it

Whores don't work Mardis Gras -- too many sluts giving it for free.

"management" = ???

Yeah, management authentication issue... So then the backdoor is required for whom exactly? Probably the police/China.

Re:"management" = ???

[jones_supa]

So then the backdoor is required for whom exactly? Probably the police/China.

Good luck proving that. My bet is on this being once again just some developer sloppiness, not an intentional backdoor. Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."

Re:"management" = ???

[phantomfive]

Here is their full quote:

"This was not a 'backdoor' vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."

Their PR firm is earning its money today.

Re:"management" = ???

Not due to any malicious activity... so are they admitting that it was a "feature" required by management? Sounds like it...

Re: "management" = ???

Is this a closed-source device? If so, I sort of expect this type of behavior.

Re:"management" = ???

[Gr8Apes]

So then the backdoor is required for whom exactly? Probably the police/China.

Good luck proving that.

I'd say the proof has to come the other way given the current state of trust in various entities to do the right thing.

Re:"management" = ???

"Management authentication" means "Users are stupid and need manufacturers to log into their devices for them."

Re: "management" = ???

[ZeroWaiteState]

The fact that DoD (who is just one government among many) spent well over 9 figures on exploits means that government surveillance actually is the simplest explanation these days.

Re:"management" = ???

[s.petry]

So then the backdoor is required for whom exactly? Probably the police/China.

Good luck proving that. My bet is on this being once again just some developer sloppiness, not an intentional backdoor. Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."

My Theorem: "Never assume the motive unless you did it yourself." When humans become perfect and never take advantage of other humans I'll agree that Hanlon's razor is always true. That won't happen, so measure the motive based on evidence and probability.

In other words, every Government and Government agency is attempting to legalize back doors in all encryption. Several of those same institutions were found to be installing and using backdoors in hardware and software, and attempting to hack into systems they lacked access to.

Do you find it more probable that a developer "accidentally" left a backdoor in the code and nobody caught it during the whole development chain? Or is it more likely that the backdoor was intentionally installed and not documented so that people could use plausible deniability as defense?

The latter of course is the most probable, and of course reinforcing the idea that "nobody knew about it" and "it was a mistake" will fly around. Hell, they might even find a scapegoat to fire over it. People like you fall for it all the time, so why would they do otherwise?

Re:"management" = ???

Thank you for that article.

However, I really wonder. For a security appliance, leaving a plaintext password in SSH just is too fishy. Even the most green dev who is writing code overseas knows enough not to slap a password into an appliance. Nobody is that stupid, especially with a security appliance which is Common Criteria and FIPS certified.

Re:"management" = ???

Welcome to 2016:

"Never attribute to stupidity that which is adequately explained by *NSA* malice."

FTFY.

Re:"management" = ???

[snowgirl]

So, much like the WMF flaw, "working as intended"?

Re:"management" = ???

[phantomfive]

I don't know, but I assume if they were actually trying to hide a back door, they would have done a better job.
It's not always wise to over-estimate the ability of programmers, though.

Re:"management" = ???

I think they don't consider the government "malicious" yet.

Don't worry

[DickBreath]

All the other firewalls are safe. Trust the NSA. Nothing to see here. Move along.

Hey, check out one of the new reality tv shows.

Re:Don't worry

Hey, check out one of the new reality tv shows.

Yea, I hear the "Alaskan Bush People" who have lived in Alaska's bush for decades just got jailed for not being in Alaska enough to be considered residents a few years back...

Re:Don't worry

[Obfuscant]

Hey, check out one of the new reality tv shows.

Masterchef Junior. It's a hoot seeing Gordon Ramsey make nine year old girls cry.

Re: Don't worry

Or see 9 year old girls swear like a trucker.

Re:Don't worry

I have watched a few of those shoes, and honestly, Gordon is a different person in them. I have yet to see him scream "ITS BLOODY RAW!" The few times I did see upset kids one of the hosts (including Gordon) would go console and encourage them.

If you watch the biritish version of his show hes a hell of a lot nicer to adults too. The screaming is an act for American TV as far as I can tell.

Re:Don't worry

The difference is, Americans respond better to being screamed at, especially the really lazy fucks. It seems like in the UK sly insults work better than screaming.

Re:Don't worry

...says the clown who has obviously never watched the show. Ramsey isn't an ass with the kids like he is with the nincompoops on Hell's Kitchen.

Re:Don't worry

[Obfuscant]

...says the clown who has obviously never watched the show.

I know you haven't. It's clear.

Ramsey isn't an ass with the kids like he is with the nincompoops on Hell's Kitchen.

No, he isn't, but it doesn't take the same level of abuse to make a nine year old cry as it does a 39 year old. It's odd that the other hosts don't seem to have the same effect on the kids that he does. They an manage to get the message "you didn't do this right" across without histrionics, and he cannot.

Re:Don't worry

[KGIII]

So... I, uh... I don't actually watch TV and I searched for that show - expecting to find a funny Onion skit. I haven't really watched TV and not much at all since the 80s. I don't know what to say, except, "Son, I am disappoint."

It's not that I have a high minded reason to avoid TV, I just hate commercials. Sometime in the 1980s they went to showing a whole lot more commercials. So, I just kind of stopped. I do watch documentaries online. So, there's that.

iptables + fwbuilder

[The-Ixian]

You don't need no fancy schmancy hardware device.

Re:iptables + fwbuilder

fwbuilder? fuck that. I build my iptables by morse code.

Re:iptables + fwbuilder

[SuricouRaven]

That depends how much traffic you are shifting and how many ports you need. Using a linux or BSD box as a firewall is common now at the low end of performance - a lot of firewall appliances actually are nothing more than modified rack servers running linux and a web interface for ease of management, like Smoothwall. But if you want to put a firewall between two networks with a 20Gb/s backbone while meeting a strict latency target? You need something specialised. There's still a space for dedicated firewall appliances at the top end. They do a lot more than just iptables-like rule sets too - lots more SPI, detection and automatic blocking of IPs trying to use known vulnerabilities, logging of specified events (ie, any external IP connecting to a server on port 22), detection of port scanners. Fortinet have firewalls with 100Gb/s ports, and the routing/filtering capacity to keep up too. Hardware firewalls are still going strong at the top end - if you've got the need, you've probably got the money.

Re: iptables + fwbuilder

[ZeroWaiteState]

Those 100Gbps ports are irrelevant if you are doing DPI. The cores can't process the rules fast enough.

Re: iptables + fwbuilder

What about a beowolf cluster? I bet a beowolf cluster could handle it.

Re:iptables + fwbuilder

[bloodhawk]

what level does your non fancy schmancy hardware scale too? Do you really think people spend hundreds of thousands or even millions on firewalls just because it is "fancy" hardware.

Re: iptables + fwbuilder

[Gr8Apes]

Those 100Gbps ports are irrelevant if you are doing DPI. The cores can't process the rules fast enough.

100Gbps I haven't seen yet, but 40Gbps exists. Naturally, they're not cheap, but certainly in-line with everything else at that level.

Re: iptables + fwbuilder

Let me google that for you: http://www.mellanox.com/page/p...

PCIe 3.0 16x card. That's 135Gb/s of bandwidth via PCIe, so you at least know the IO can handle it.

Re:iptables + fwbuilder

[AmiMoJo]

Also, if you buy a firewall appliance you can have someone administer it for you remotely. No need to hire someone with the expertise, just pay someone else to manage your firewall and get a lowly Windows Server admin in to handle your internal stuff.

These things aren't just a box you buy, they are a service.

Re:iptables + fwbuilder

But we want more than firewalls, we want next gen appliances: https://en.wikipedia.org/wiki/Next-Generation_Firewall

Re:Really?

And you think the Democrats are ANY different?

https://theintercept.com/2015/12/07/obama-hints-at-renewed-pressure-on-encryption-clinton-waves-off-first-amendment/

It doesn't matter which party is in power, you will always move progressively towards tyranny. Both parties hate privacy.

NSA spotted - or throwing out misdirection?

[Bruce66423]

If we listened carefully, would we hear crying at Fort Meade because they've been caught out, or is it that they've now got other ways to get what they were getting from these sources? My guess is that they won't be happy about all this coming to light, but let's not be fooled into thinking that we are ever really secure on the net.

Re: NSA spotted - or throwing out misdirection?

[ZeroWaiteState]

They weren't caught out. Most likely the exploit is already known in several countries and the risk of leaving the exploit in place outweighs operational benefit. If they were actually caught out you wouldn't hear anything because Fortinet would be under NSL.

So what're we calling this one?

[BringYourOwnBacon]

Fortigategate or just plain Fortigate?

Not "shaken", more surprised it took that long

[gweihir]

Seriously, any actual security expert has been expecting things like this for a long time. The only explanation that makes sense for so few of these being found is that most vendors do not go looking in the first place...

pfsense?

I wonder if we're going to hear about any backdoors or exploits for pfsense.

Re: pfsense?

[bill_mcgonigle]

If only they would release the source code somebody could take a look.

Hrm, has anybody done a pf PFGA compiler yet? My low-end pfSense boxes won't really keep up over two bonded gigabits. All this propreitary gear is e-waste now.

LOL

[JustAnotherOldGuy]

A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

Later they said, "You didn't get 'pwned', you got 'haxored'...it's like, totally different, man."

And just for the record, I'm not "eating a potato", I'm "utilizing a starch resource with a multi-pronged utensil!"

Re:LOL

First ever comment on SD after many many years..

"And just for the record, I'm not "eating a potato", I'm "utilizing a starch resource with a multi-pronged utensil!" - GOLD!

Re:LOL

I think you meant to say I am not "eating a potato with a fork" I am "consuming a starch resource with a multi-pronged utensil"

Management Plane, FTW

If you limit management plane access, this really would be a trivial issue. Only those with access to the management network would even be able to initiate an SSH session. If an attacker cannot initiate an SSH session, they cannot exploit.

Using proper network segmentation and having a management network makes it where there is need to rush in patching this. Just implement the next upgrade which would include the fix when there is another reason to do so.

Terry Pratchett quote:

From Making Money, regarding a fictional communications company. Read it sarcastically.

The Grand Trunk's problems were clearly the result of some mysterious spasm in the universe and had nothing to do with greed, arrogance and wilful stupidity. Oh, the Grand Trunk management had made mistakes -- oops, "well-intentioned judgements which, with the benefit of hindsight, might regrettably have been, in some respects, in error" -- but these had mostly occurred, it appeared, while correcting "fundamental systemic errors" committed by the previous management.

No one was sorry for anything because no living creature had done anything wrong; bad things had happened by spontaneous generation in some weird, chilly, geometrical otherworld, and 'were to be regretted'.

Here, too, the backdoor vulnerability was spontaneously generated in some weird, chilly, geometrical otherworld...

A lot of hardware and software vendors do this

...all in the name of remote support. HP and Dell both do this, as do GE and Philips.

Build your own

[AHuxley]

Nations have to learn to stop importing complex with issues.
Learn to fab, design your own hardware, add the code and test it. Lots of nice domestic work for years and a good secure product is created.
The hardware might not be fast, cool running, an international standard but it will be fully understood from the chips up and be fully supported locally.

Re:Build your own

and how is that going to stop anything? Do you really think it is beyond countries like the US to subvert such development? Adding in a simple backdoor that even if found will look like nothing more than an obscure security vulnerability is not hard and I would be more shocked if it isn't already standard practise for certain governments.

Re:Build your own

[AHuxley]

At least your not paying to fully import a product :)

They also can be useful in lower end apps

[Sycraft-fu]

If you want something that uses less power. It is as true today as ever that you can do more with less juice in an ASIC than in software. So sure, you throw a big CPU at something it can often do the trick. But maybe you don't want a big CPU and associated support hardware, maybe you have a reason to want something lower power. In that case, dedicated hardware comes in.

Also I think many people who dis hardware firewalls have never seen really difficult networks. It isn't so much the traffic that causes trouble, but the number and randomness of connections. I work on a university campus and we were getting firewalls back in the early days of them as dedicated appliances. On paper, our network as easy, we only had like an OC-3 (155mbps) to the Internet and you could get 1gbps firewalls no problem... ya those fell over the moment they were turned on. They could not handle the nature of our traffic. We ended up getting some of Cisco's very first hardware firewalls, and they worked well.

Re:They also can be useful in lower end apps

PFSense 3.0 claims to reach into the 40Gb stateful firewalling ranges, even with IPSec enabled. Experimental tweaks to the FreeBSD network stack is claiming line-rate 64byte packets for 10Gb/s on a single core 900mhz or dualcore 450mhz, for routing.

topkek chaps

Likely another NSL casualty reveals itself, juniper, cisco the list goes on, top notch "security" products broken as ordered by those that help to secure sweet FA.

Cue user cold fjord shilling in 3 , 2 , 1

Volkswagen`cf. Juniper/Fortinet

[Tokolosh]

The reaction to these types of revelations should be the same as for the VW emissions scandal. A fired CEO, congressional FCC and FTC investigations, class-actions, naming and shaming of the individuals responsible, and the source code.

Re:Volkswagen`cf. Juniper/Fortinet

What CEO got fired for the VW emissions scandal. I though,t after a thorough investigation by VW, it turned out to be a couple of rogue programmers acting on their own.

Re:Volkswagen`cf. Juniper/Fortinet

[Shoten]

What CEO got fired for the VW emissions scandal. I though,t after a thorough investigation by VW, it turned out to be a couple of rogue programmers acting on their own.

Au contraire...it turned out that the actions went way up the management chain, and indeed CEO Martin Winterkorn stepped down in late September 2015. Google is your friend.

Re:Volkswagen`cf. Juniper/Fortinet

You don't get congressional investigations for doing what the government asks you to under strict NDA.

Re:Volkswagen`cf. Juniper/Fortinet

While I agree, accountability in the corporate world doesn't exist.

ANALogy

[Shoten]

A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

Hm. To me, that reads like this:

A spokesperson for the Zeta Beta Tau chapter told El Reg, "This was not a surprise unwanted group buttsex situation but rather a dating faux pas."

This kind of "management authentication issue" IS a backdoor...it's exactly what the term "backdoor" was created to refer to.