Fortinet says backdoor found in FortiOS is “a management authentication issue”

Fortinet, the company whose enterprise network security offerings include the popular FortiGate firewall platform, has issued a statement regarding a security issue that has been publicly revealed this weekend: a SSH backdoor in FortiOS, the OS running on many of the company’s products.

As Iain Thomson succinctly explained, “it appears Fortinet’s engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment.”

“The recent issue that was disclosed publicly was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” the company clarified in a statement released on Tuesday. “This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue.”

FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7 are affected by this issue, but it is expected that most IT admins have updated the software since July 2014 to one of the unaffected versions (4.3.17 or later, 5.0.8 or later, 5.2, or 5.4 – the latest one). Those who didn’t or can’t have been provided with workarounds that mitigate the problem.

Fortinet has acknowledged that the hole is “high risk”, but also tried to avoid this issue being tied to the problem of the several backdoors recently discovered in Juniper’s firewall appliances. The introduction of these backdoors is widely believed to be intentional, mostly because the company did some questionable (and still unexplained) choices when it comes to selecting which random number generator will be used in ScreenOS, the OS used on the affected NetScreen firewall devices.

“The issue was identified by our Product Security team as part of their regular review and testing efforts,” Fortinet pointed out in the Tuesday statement. “After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

In the wake of the Juniper backdoor revelations, Cisco Systems announced that they will be reviewing the software running on their devices and look “for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.”