Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH Backdoor Found In Fortinet Firewalls (arstechnica.com)

Posted by Soulskill on from the it's-not-a-bug,-it's-a-feature-we-were-embarrassed-to-mention dept.

An anonymous reader writes: The IT community was shaken a few weeks ago when Juniper Networks firewalls were found to contain "unauthorized code" that seemed to enable a backdoor. Now, Fortinet firewalls have been found to contain an apparent SSH backdoor as well. "According to the exploit code, the undisclosed authentication works on versions 4.3 up to 5.0.7. If correct, the surreptitious access method was active in FortiOS versions current in the 2013 and 2014 time frame and possibly earlier, based on this rough release history. The weakness was eventually patched, but so far, researchers have been unable to locate a security advisory that disclosed the alternative authentication method or the hard-coded password." A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

13 of 71 comments (clear)

  1. Don't worry by DickBreath · · Score: 2

    All the other firewalls are safe. Trust the NSA. Nothing to see here. Move along.

    Hey, check out one of the new reality tv shows.

    --

    I'll see your senator, and I'll raise you two judges.
  2. iptables + fwbuilder by The-Ixian · · Score: 2

    You don't need no fancy schmancy hardware device.

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:iptables + fwbuilder by SuricouRaven · · Score: 4, Insightful

      That depends how much traffic you are shifting and how many ports you need. Using a linux or BSD box as a firewall is common now at the low end of performance - a lot of firewall appliances actually are nothing more than modified rack servers running linux and a web interface for ease of management, like Smoothwall. But if you want to put a firewall between two networks with a 20Gb/s backbone while meeting a strict latency target? You need something specialised. There's still a space for dedicated firewall appliances at the top end. They do a lot more than just iptables-like rule sets too - lots more SPI, detection and automatic blocking of IPs trying to use known vulnerabilities, logging of specified events (ie, any external IP connecting to a server on port 22), detection of port scanners. Fortinet have firewalls with 100Gb/s ports, and the routing/filtering capacity to keep up too. Hardware firewalls are still going strong at the top end - if you've got the need, you've probably got the money.

  3. Re:"management" = ??? by jones_supa · · Score: 2, Insightful

    So then the backdoor is required for whom exactly? Probably the police/China.

    Good luck proving that. My bet is on this being once again just some developer sloppiness, not an intentional backdoor. Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."

  4. Re:"management" = ??? by phantomfive · · Score: 5, Insightful
    Here is their full quote:

    "This was not a 'backdoor' vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."

    Their PR firm is earning its money today.

    --
    "First they came for the slanderers and i said nothing."
  5. Not "shaken", more surprised it took that long by gweihir · · Score: 2

    Seriously, any actual security expert has been expecting things like this for a long time. The only explanation that makes sense for so few of these being found is that most vendors do not go looking in the first place...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Re:At least they came out and said it by cheater512 · · Score: 2

    They haven't admitted they had a backdoor.
    They've only admitted they had a 'management authentication issue'.

    Just like many companies are coming under 'advanced persistent threat' attacks.
    They aren't filled with idiots who click Important Document.doc.exe from random emails. Course not!
    The attack has 'advanced' in the title!

  7. Re: "management" = ??? by ZeroWaiteState · · Score: 5, Interesting

    The fact that DoD (who is just one government among many) spent well over 9 figures on exploits means that government surveillance actually is the simplest explanation these days.

  8. Re:"management" = ??? by s.petry · · Score: 2

    So then the backdoor is required for whom exactly? Probably the police/China.

    Good luck proving that. My bet is on this being once again just some developer sloppiness, not an intentional backdoor. Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."

    My Theorem: "Never assume the motive unless you did it yourself." When humans become perfect and never take advantage of other humans I'll agree that Hanlon's razor is always true. That won't happen, so measure the motive based on evidence and probability.

    In other words, every Government and Government agency is attempting to legalize back doors in all encryption. Several of those same institutions were found to be installing and using backdoors in hardware and software, and attempting to hack into systems they lacked access to.

    Do you find it more probable that a developer "accidentally" left a backdoor in the code and nobody caught it during the whole development chain? Or is it more likely that the backdoor was intentionally installed and not documented so that people could use plausible deniability as defense?

    The latter of course is the most probable, and of course reinforcing the idea that "nobody knew about it" and "it was a mistake" will fly around. Hell, they might even find a scapegoat to fire over it. People like you fall for it all the time, so why would they do otherwise?

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  9. LOL by JustAnotherOldGuy · · Score: 5, Funny

    A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

    Later they said, "You didn't get 'pwned', you got 'haxored'...it's like, totally different, man."

    And just for the record, I'm not "eating a potato", I'm "utilizing a starch resource with a multi-pronged utensil!"

    --
    Just cruising through this digital world at 33 1/3 rpm...
  10. Re: NSA spotted - or throwing out misdirection? by ZeroWaiteState · · Score: 3, Interesting

    They weren't caught out. Most likely the exploit is already known in several countries and the risk of leaving the exploit in place outweighs operational benefit. If they were actually caught out you wouldn't hear anything because Fortinet would be under NSL.

  11. Re:At least they came out and said it by dreamchaser · · Score: 2

    Unfortunately SRXs also suck harder than a whore at Mardis Gras.

  12. Volkswagen`cf. Juniper/Fortinet by Tokolosh · · Score: 3, Interesting

    The reaction to these types of revelations should be the same as for the VW emissions scandal. A fired CEO, congressional FCC and FTC investigations, class-actions, naming and shaming of the individuals responsible, and the source code.

    --
    Prove anything by multiplying Huge Number times Tiny Number