Slashdot Mirror

← Back to Stories (view on slashdot.org)

FortiGuard SSH Backdoor Found In More Fortinet Security Appliances (fortinet.com)

Posted by Soulskill on from the no-customer-service-reps-involved dept.

itwbennett writes: Earlier this month, an SSH backdoor was identified in Fortinet firewall appliances. Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password. Now, it has found that the same issue also exists in some versions of FortiSwitch, FortiAnalyzer and FortiCache. They said, "In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using [those] products update their systems with the highest priority."

41 comments

  1. license by Anonymous Coward · · Score: 0

    IANAL

    I'm not sure if the licenses of openssh/dropbear ssh/libssh/libssh/... allow this, if they do,
    I think it's time for someone to hardcode some ssh configuration and publish it with some fucking restrictive license so that no one can tamper with the code legally, so he can buttfuck the fucking companies that do this shit. I beleive the community will prefer firewalls/routers that have such packages installed.

    1. Re:license by TWX · · Score: 3, Insightful

      You ever try to deal with the legal department of a large company?

      First they ignore you. They do this for quite some time. Quite some time being months to years.

      If they eventually do respond, they don't know what you're talking about.

      If you keep pestering then eventually they call officers for the company for whom they represent. Those officers, knowing nothing themselves, tell the lawyers that there is no problem, which is what they tell you.

      If you still keep pestering eventually the bill that the company receives starts attracting attention and the officer is asked by someone else what's going on, and that officer then gets annoyed and may start asking his department heads. They don't know either, so eventually due to managerial badgering they start asking their subordinates.

      If the subordinates find anything then it gets forwarded back through the section manager to the officer to the lawyer, being revised at each stage by the management layer. Your response from the lawyer is BS. Eventually your back and forth with the lawyer casues the company to finally ask for original reports from the employee to be sent to the lawyer, at which time they look at the actual issues and compare it to their knowledge of the law to now start looking for a way to form a defense.

      Then it finally starts to get somewhere, if you can afford these legal proceedings.

      The legal case involving SCO took something like a decade to essentially resolve, and there are still loose strings to tie-up. In the end it'll probably be twenty years before it's completely done and buried. That was with a company that wasn't healthy financially, that was grasping at straws to find any way it could to survive, how ever underhanded, and with actual companies on the other side that could afford their own extensive legal teams to do battle.

      You as a person do not really stand a chance in these circumstances. Even if you do get an entity like the EFF to take the case for you it'll still take a decade to get somewhere.

      --
      Do not look into laser with remaining eye.
    2. Re:license by hawguy · · Score: 2

      IANAL

      I'm not sure if the licenses of openssh/dropbear ssh/libssh/libssh/... allow this, if they do,
      I think it's time for someone to hardcode some ssh configuration and publish it with some fucking restrictive license so that no one can tamper with the code legally, so he can buttfuck the fucking companies that do this shit..

      You're not sure if they allow what? Hardcoded user passwords? Why wouldn't they? The password is outside of the responsibility of the OpenSSH server, I would hope that the OpenSSH license doesn't dictate system management practices - if a company wants to do something stupid, OpenSSH shouldn't prevent them from doing so. I don't know about the other opensource implementations, but putting any sort of restrictive license on OpenSSH would be a major shift in its licensing and would just shift manufacturers to different products.

      But assuming that it is restricted by license, who is going to pay for all of this corporate buttfucking? License disputes are extremely expensive to litigate, and can an opensource project even recover "damages" for a product that they give away for free? Seems like the best they can hope for is to spend millions of dollars to get the company to stop what it's doing.

      I beleive the community will prefer firewalls/routers that have such packages installed

      I don't know what "community" you're talking about, but most of the community that is purchasing these off-the-shelf point and click security products couldn't tell you the difference between a management over SSH versus one over Telnet, so they certainly aren't going to be scouring the documentation to see which SSH implementation it uses. The users that care are already using something like pfSense.

    3. Re:license by Agripa · · Score: 1

      This is why you either start by enforcing the license through legal means or immediately after the company first dissembles. If legal means to enforce the license are unavailable for whatever reason, then just publicize the violation and move on.

  2. Curious? by mitcheli · · Score: 2

    Why is it that all the security product manufacturers seem to have hard coded passwords in their products?

    --
    Select from tblFriends where interesting >= 4;
    1. Re:Curious? by Anonymous Coward · · Score: 3, Funny

      Because they know their customers want a Network Security Appliance with No Strings Attached?

    2. Re:Curious? by Anonymous Coward · · Score: 0

      Because it simplifies access for the vendor to get into the product, such as if the end user locks themselves out. It was assumed that no one would figure the backdoor out (security by obscurity).

    3. Re:Curious? by silas_moeckel · · Score: 2

      Because like most of IT it's moved from doing stuff to vendor management. AKA call somebody and make it work.

      --
      No sir I dont like it.
  3. Security + Backdoor? by BoRegardless · · Score: 1

    = Legal Liability!

  4. Not Intentional by Anonymous Coward · · Score: 0

    What exactly is a "management feature with hard-coded password" if it's not intentional?

    1. Re:Not Intentional by w1zz4 · · Score: 1

      I think they mean not business Intentional. An, or a small groupe of, person(s) in the company decided it would be a great idea to incorporate a hard coded account. Btw, I don't believe it but this is their line since this have been discovered

  5. What the hell? by gstoddart · · Score: 4, Insightful

    Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password

    Dear god, this company makes security products???

    This is so crazy stupid it isn't even funny.

    It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.

    This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.

    --
    Lost at C:>. Found at C.
    1. Re:What the hell? by 110010001000 · · Score: 1

      Well, yea, but it was a *really tough* backdoor password. You never would have guessed it. I use the same password on my luggage and no one has guessed it yet!

    2. Re:What the hell? by Anonymous Coward · · Score: 0

      Incorrect. An undocumented account with a hard-coded password is not the very definition of a backdoor, it is merely an example of a backdoor. A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.

    3. Re:What the hell? by TWX · · Score: 1

      You two are arguing semantics at this point. His citation that this is the very definition of a backdoor is probably meant to illustrate that this thing in all cases in which it is found is a backdoor. There is no case for which this isn't a backdoor.

      From a language point-of-view, since dictionaries often list multiple definitions for a word or expression, this set of circumstances undoubtedly matches one definition exactly, even if other definitions for the term exist as variations on a theme.

      --
      Do not look into laser with remaining eye.
    4. Re:What the hell? by myowntrueself · · Score: 2

      Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password

      Dear god, this company makes security products???

      This is so crazy stupid it isn't even funny.

      It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.

      This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.

      The funny thing about their excuse is that the hard coded password was disguised so as to be hard to detect when looking at a dump of the code; its disguised as a piece of debugging code.

      Its not just a hard coded password, its deliberately concealed and obfuscated; someone put some thought and attention to detail into this.

      --
      In the free world the media isn't government run; the government is media run.
    5. Re: What the hell? by bill_mcgonigle · · Score: 0

      Yet, the released "fix" still has the same hard-coded string in it. There's been speculation that they just added port-knocking.

      The company is effectively dead to anybody doing real security. If they got an RSA-style payment, I wonder who's liable to the shareholders.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    6. Re: What the hell? by Anonymous Coward · · Score: 0

      Cisco (well the linksys side anyway) added a port knock (specially crafted packet) to tier hard coded passwords and they are still too big to fail.

    7. Re:What the hell? by nnull · · Score: 1

      You think that's bad, you should see all of Siemens products. With all their backdoors, they've now included a web interface as a backdoor with their brilliant new designs! Enjoy!

  6. class action lawsuit? by NotQuiteReal · · Score: 1

    Sounds like this product was intentionally unfit for the its stated purpose.

    Normally class action lawsuits are BS, but in this case, the company deserves it.

    --
    This issue is a bit more complicated than you think.
    1. Re:class action lawsuit? by Anonymous Coward · · Score: 0

      I still lean towards this being better suited as violations of UCC, possibly Fraud, and maybe for good measure violation of Computer Fraud and Abuse Act . Yes, you can make all of this a class action, but in that case the settlement is smaller than individual cases and just jacks up attorneys fees; 1,000+ cases filing suit for these charges has the benefit of :
      a.) 1,000 charges of each
      b.) 1,000 filings for each claim
      c.) Courts are tied up so no dumb shit gets through easily
      d.) Stock holders will take notice and act significantly faster causing suits from the shareholders for not acting in their best interests...
      e.) Multiple opportunities to set a precedent of "this shit isn't acceptable, ever"

  7. backdoor (n) by Anonymous Coward · · Score: 0

    backdoor (n) - a management feature which relies on an undocumented account with a hard-coded password

  8. Hard coded password by Anonymous Coward · · Score: 0

    Who's idea was that? I think it was 45 years ago I was told that was a bad idea by my college professor. Which means the idea was older than that and was known to be a bad one still earlier than that. And we still see the same mistake being done today.

    E.C.P.

  9. Name backdoors by the CEOs by Anonymous Coward · · Score: 2

    I think we should name the backdoors by the CEOs because after all they are responsible for it.
    Consequently this it the "Ken Xie" Fortinet Backdoor.

    It should not be enough to just rebrand the company. If this does not end in a serious restructuring then no lesson has been learned.

  10. Never heard of their products by Anonymous Coward · · Score: 0

    I trust that current customers will switch to other products. That backdoor was put in on purpose by someone at their company. Whether management knew or not is inconsequential. They have lost any integrity and trust.

    1. Re: Never heard of their products by Anonymous Coward · · Score: 0

      That's a bit naive. Many organizations have Forti-whatever all over the place and can't just switch products.

  11. One codebase, many "products" by swb · · Score: 1

    This doesn't seem surprising. I'd wager that most of these products use the same code base, with various features enabled/available depending on what underlying hardware they run on.

  12. For Shame by Anonymous Coward · · Score: 0

    For as much blowback as Juniper got when they disclosed their backdoor + VPN vulnerability, Fortinet actually makes them look good. Fortinet knew about this and silently fixed it back in 2014 though they told nobody. At least Juniper bothered to let people know (though their PSN was shamelessly vague). Fortinet didn't do anything until someone anonymously posted exploit code (and they still say it's not a backdoor).

    It seems like with Sauron's eye on security vendors we are going to be seeing a great deal of new backdoors and massive security vulnerabilities in security products very soon.

  13. I slipped and accidently created a backdoor by Anonymous Coward · · Score: 0

    Come on. SERIOUS?

  14. The lesson... by Junta · · Score: 1

    Is to not use 'appliances' in any remotely potentially secure application. Vendors have shown time and time again they are just as susceptible to screwing up as a common administrator. The difference being that a common administrator screwing up may be in a unique way not known by many, while a vendor cock up will be well known and land in some exploit kit.

    As a rule, don't put any appliance or firmware internet facing if you care about the security.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  15. No such agency mole? by Anonymous Coward · · Score: 0

    I wonder if the Nefarious Screw-u Agency plants moles/spies/agents into security companies to "accidentally" create/plant backdoors or exploits.

  16. Duplicate... by Anonymous Coward · · Score: 0

    I remember seeing this topic on Slashdot already Friday.... either from ArsTechnica or from Softpedia. Recycling again... or is it a favor for CSO once again.... are they paying that well to be promoted here? Even for dupes?

  17. What what? by Anonymous Coward · · Score: 0

    You mean you don't have another fortinet in front of your fortinet???

  18. Security you can patch yourself easily... apk by Anonymous Coward · · Score: 0

    APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

    ---

    FREE, not 'souled-out' to advertisers + adds speed, security & reliability. Does FAR more w/ FAR less more efficiently vs. redundant browser addons & local DNS servers @ home.

    It not ONLY fixes DNS' many security issues, it stops a LOT of tracking @ webpage + DNS levels via 1 file you NATIVELY have per my subject above!

    Firewalls do the rest (on less used IP address trackers vs. host-domain name type).

    ---

    It obtains data vs. threats & for adblocking from 10 reputable security community sites - easily texteditor edited (see subject).

    ---

    SPEEDS YOU UP 2 ways (adblocks + local RAM cached favorite sites @ TOP of hosts for fastest resolution speed vs. remote DNS (aids reliability)) vs. other "so-called security 'solutions'" SLOWING YOU!

    ---

    All that via something you natively have vs. "bolting on browser addons 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overheads!

    ---

    MalwareBytes' hpHosts Admin (MalwareBytes employee who verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

    &

    It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    Its 32-bit model too https://www.virustotal.com/en/...

    Its installer too -> http://f.virscan.org/APKHostsF...

    ---

    * "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    "The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THE WORD = hosts!

    (Accept NO substitutes!)

    ...apk

    1. Re: Security you can patch yourself easily... apk by Anonymous Coward · · Score: 0

      piss off

    2. Re: Security you can patch yourself easily... apk by Anonymous Coward · · Score: 0

      Wow, an actual ad for a hosts file disguised as a comment post. Not sure how I feel about that, but here's a snark for you anyway.

      Shhhhh! If you advertise our secret weapon, they might start bypassing it at the kernel level, so that our defenses are useless! Shhhhhhh!

  19. Cisco Security by Jeffbezos11 · · Score: 1

    Fortigate firewall is Fortinet's security podium flagship. The Fortigate systems measure to fit a home office up to big enterprises. Fortigates deal multi-threat reaction, a constantly updated hazard analysis, and real-time defense beside any threat to your network. Unlike most firewalls which are partial in providing essential functions, Fortinet systems offer the major suite of security technologies. pass4sure 200-120 dumps

  20. Bah, easily countered... apk by Anonymous Coward · · Score: 0

    First, you'd have to get to a system protected by hosts - good luck w/ that when hosts block infestation before it happens!

    Secondly, Windows' recovery console tools remove drivers level attacks using ListSvc to spot a driver & then Disable to stop it running. See subject, you fail...

    In fact, between ProcessExplorer (for usermode attacks by malware) &/or RecoveryConsole tools? I have never EVER needed a virus removal tool OR antivirus (not that I ever get infected, hosts stop that before it can happen far more proactively than antivirus ever could since it waits for you to BE infested first... hosts block sources of infestation before it can happen!)

    * When will you trolls ever learn you're NOT my equals/peers in computing knowledge & that I'll outsmart, outthink & just plain OUT you, easily? Never, apparently... & that's OK by me! Why??

    You continually make ME look GOOD - thanks!

    APK

    P.S.=> Now, you just KNOW that I've just GOT to say it, now don't you? Ah, but of course you do:

    This? This was just "too, Too, TOO EASY - just '2ez'" & it always is vs. whimp trolls that hide behind unidentifiable ac posts that I can tear apart like nothing to it since their computing know-how is EXTREMELY limited, lol (justl like their dull brains)... apk

    This? This was just "too, Too, TOO EASY - just '2ez'" & it always is vs. whimp trolls that hide behind unidentifiable ac posts that I can tear apart like nothing to it since their computing know-how is EXTREMELY limited, lol (justl like their dull brains)... apk

  21. Take your own advice or prove me wrong... apk by Anonymous Coward · · Score: 0

    You obviously can't prove my points on hosts validly technically wrong so take your own advice unidentifiable truly cowardly ac troll.

    * You aren't in my league in the art & science of computing & the link below proves it for me... thanks!

    APK

    P.S.=> I've got to hand it to you weak trolls - you're just making me look GOOD here & I thank you for it... especially here -> http://it.slashdot.org/comment... & it's just "too, Too, TOO EASY - just '2ez'" for me to bust you fools up everytime you *try* to even ATTEMPT to outthink me - you never have, & you NEVER will (& you know it - you're just too LIMITED in skills and brainpower to do so - & you know that too, lol)... apk

  22. Additionally vs. rootkits/rpl 0/ring 9 attack? by Anonymous Coward · · Score: 0

    Fixmbr in Recovery console tools (or Win7 & beyond emergency system recovery tools) w/ Disable (vs. driver driven rootkits in kernelmode) commands vs. rootkit/rpl 0/ring 0/kernelmode attacks by fixing bootsector attack!

    (You don't need anything more than what you natively have to remove threats & you'd have to GET INFECTED 1st - Custom hosts REINFORCED by my program vs. latest threats (or old ones that aren't sinkholed yet if so chosen) WON'T LET YOU BE INFECTED pre-blocking them)

    * It's how hosts = SUPERIOR to antivirus/antispyware technology that only really works (even though Symantec LITERALLY ADMITTED antivirus is ineffective vs. today's threat vectors no less) ONCE YOU ARE INFECTED!

    Plus, unlike antivirus SLOWING you? hosts prevent that also!

    Hosts SPEEDS YOU UP 2 WAYS (adblocking & favorite sites hardcoded) which even hostsman my fellow hosts populator by a 'competitor' does NOT do!

    Nor do browser addons like UBlock (uses hosts data now - imitation = sincerest form of flattery & is NOT a resolver - this makes it weak vs. next point too vs. hosts)

    Reverse DNS verification of users' favorite sites hardcoded into hosts is where they typically spend 95++% of their time online @ the TOP of hosts cached in RAM for fastest possible resolutions, faster than remote DNS & less complex + resource intensive & less power consumptive than locally installed DNS + reinforces vs. DNS redirect security poisonings OR being downed (dns goes down a lot) & vs. inferior, redundant, inefficient, crippled by default browser addons not doing this too!

    APK

    P.S.=> Doing MORE with LESS, more efficiently, by using what you already natively have @ your disposal to dispose of not only infestations but also the need for ILLOGICALLY "Bolting on 'MoAr'"!

    ... apk