Slashdot Mirror
FortiGuard SSH Backdoor Found In More Fortinet Security Appliances (fortinet.com)
itwbennett writes: Earlier this month, an SSH backdoor was identified in Fortinet firewall appliances. Last week, the company said that the problem was not an intentional backdoor, but the result of a management feature which relied on an undocumented account with a hard-coded password. Now, it has found that the same issue also exists in some versions of FortiSwitch, FortiAnalyzer and FortiCache. They said, "In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using [those] products update their systems with the highest priority."
Why is it that all the security product manufacturers seem to have hard coded passwords in their products?
Select from tblFriends where interesting >= 4;
= Legal Liability!
Dear god, this company makes security products???
This is so crazy stupid it isn't even funny.
It's backdoor, no matter what you call it. An undocumented account with a hard-coded password is the very definition of a backdoor.
This is just PR spin. It's a backdoor, and pretending otherwise if bullshit.
Lost at C:>. Found at C.
Sounds like this product was intentionally unfit for the its stated purpose.
Normally class action lawsuits are BS, but in this case, the company deserves it.
This issue is a bit more complicated than you think.
You ever try to deal with the legal department of a large company?
First they ignore you. They do this for quite some time. Quite some time being months to years.
If they eventually do respond, they don't know what you're talking about.
If you keep pestering then eventually they call officers for the company for whom they represent. Those officers, knowing nothing themselves, tell the lawyers that there is no problem, which is what they tell you.
If you still keep pestering eventually the bill that the company receives starts attracting attention and the officer is asked by someone else what's going on, and that officer then gets annoyed and may start asking his department heads. They don't know either, so eventually due to managerial badgering they start asking their subordinates.
If the subordinates find anything then it gets forwarded back through the section manager to the officer to the lawyer, being revised at each stage by the management layer. Your response from the lawyer is BS. Eventually your back and forth with the lawyer casues the company to finally ask for original reports from the employee to be sent to the lawyer, at which time they look at the actual issues and compare it to their knowledge of the law to now start looking for a way to form a defense.
Then it finally starts to get somewhere, if you can afford these legal proceedings.
The legal case involving SCO took something like a decade to essentially resolve, and there are still loose strings to tie-up. In the end it'll probably be twenty years before it's completely done and buried. That was with a company that wasn't healthy financially, that was grasping at straws to find any way it could to survive, how ever underhanded, and with actual companies on the other side that could afford their own extensive legal teams to do battle.
You as a person do not really stand a chance in these circumstances. Even if you do get an entity like the EFF to take the case for you it'll still take a decade to get somewhere.
Do not look into laser with remaining eye.
IANAL
I'm not sure if the licenses of openssh/dropbear ssh/libssh/libssh/... allow this, if they do,
I think it's time for someone to hardcode some ssh configuration and publish it with some fucking restrictive license so that no one can tamper with the code legally, so he can buttfuck the fucking companies that do this shit..
You're not sure if they allow what? Hardcoded user passwords? Why wouldn't they? The password is outside of the responsibility of the OpenSSH server, I would hope that the OpenSSH license doesn't dictate system management practices - if a company wants to do something stupid, OpenSSH shouldn't prevent them from doing so. I don't know about the other opensource implementations, but putting any sort of restrictive license on OpenSSH would be a major shift in its licensing and would just shift manufacturers to different products.
But assuming that it is restricted by license, who is going to pay for all of this corporate buttfucking? License disputes are extremely expensive to litigate, and can an opensource project even recover "damages" for a product that they give away for free? Seems like the best they can hope for is to spend millions of dollars to get the company to stop what it's doing.
I beleive the community will prefer firewalls/routers that have such packages installed
I don't know what "community" you're talking about, but most of the community that is purchasing these off-the-shelf point and click security products couldn't tell you the difference between a management over SSH versus one over Telnet, so they certainly aren't going to be scouring the documentation to see which SSH implementation it uses. The users that care are already using something like pfSense.
I think they mean not business Intentional. An, or a small groupe of, person(s) in the company decided it would be a great idea to incorporate a hard coded account. Btw, I don't believe it but this is their line since this have been discovered
I think we should name the backdoors by the CEOs because after all they are responsible for it.
Consequently this it the "Ken Xie" Fortinet Backdoor.
It should not be enough to just rebrand the company. If this does not end in a serious restructuring then no lesson has been learned.
This doesn't seem surprising. I'd wager that most of these products use the same code base, with various features enabled/available depending on what underlying hardware they run on.
Is to not use 'appliances' in any remotely potentially secure application. Vendors have shown time and time again they are just as susceptible to screwing up as a common administrator. The difference being that a common administrator screwing up may be in a unique way not known by many, while a vendor cock up will be well known and land in some exploit kit.
As a rule, don't put any appliance or firmware internet facing if you care about the security.
XML is like violence. If it doesn't solve the problem, use more.
Fortigate firewall is Fortinet's security podium flagship. The Fortigate systems measure to fit a home office up to big enterprises. Fortigates deal multi-threat reaction, a constantly updated hazard analysis, and real-time defense beside any threat to your network. Unlike most firewalls which are partial in providing essential functions, Fortinet systems offer the major suite of security technologies. pass4sure 200-120 dumps
This is why you either start by enforcing the license through legal means or immediately after the company first dissembles. If legal means to enforce the license are unavailable for whatever reason, then just publicize the violation and move on.