Thought you were safe from the Fortinet SSH backdoor? Think again
More devices are dodgy and hackers are cruising for targets
Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable.
Last week, a Python script emerged that could allow anyone to get administrator-level access to some of Fortinet's firewall devices using hardwired logins. Fortinet explained that this wasn't a backdoor as such, but a "management authentication issue."
At the time, the firm said equipment using FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7 were affected. The last of these builds was released in July 2014, and that fully patched systems using up-to-date software would be fine.
However, that's not the full story.
"Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products," said the company in a blog post.
"During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS."
Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.
In all cases, the problem can be sorted by updating to the latest firmware builds. Don't delay – hackers are closing in on the backdoor management authentication issue.
"Looking at our collected SSH data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability," said Jim Clausing, a mentor with the SANS Institute.
"Nearly all of this scanning has come from two IPs in China (188.8.131.52 and 184.108.40.206). So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned." ®