SSH backdoor found in more Fortinet devices, exploit attempts spotted in the wild

In case you missed it, Fortinet announced last week that the recently discovered FortiOS SSH backdoor – or, as they call it, “a management authentication issue” – has been found by its Product Security Incident Response team also on some versions of FortiSwitch, FortiAnalyzer and FortiCache.

“As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices,” they made sure to note.

The list of affected products is as follows:

  • FortiSwitch v3.3.0 to 3.3.2
  • FortiAnalyzer v5.0.5 to 5.0.11 and v5.2.0 to 5.2.4 (branch 4.3 is not affected)
  • FortiCache v3.0.0 to 3.0.7 (branch 3.1 is not affected)
  • FortiOS v4.1.0 to 4.1.10, v4.2.0 to 4.2.15, v4.3.0 to 4.3.16, and v5.0.0 to 5.0.7.

Some of these products are legacy and end-of-life, but are still occasionally used.

Admins can check this security advisory for advice on what upgrades and/or workarounds and mitigations they can implement.

The revelation and the patched upgrades come just in time, as someone has been scanning the Internet for vulnerable Fortinet devices and trying to exploit them with the attack Python script that was published on the Full Disclosure mailing list.

“Looking at our collected ssh data, we’ve seen an increase in scanning for those devices in the days since the revelation of the vulnerability,” warned ISC handler Jim Clausing .

“Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven’t already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.”