Aoutch... after an "unauthorized" backdoor was found in Juniper Networks firewalls, Juniper's ScreenOS, the first report of a highly suspicious code in FortiOS firewalls has been confirmed and tested as an SSH backdoor that can be used to access its firewall equipment.
This issue affected all FortiOS versions from 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7, which cover FortiOS builds from between November 2012 and July 2014.
Proof-of-Concept exploit code was made available online by an anonymous user (email@example.com), who posted the exploit code on the Full Disclosure mailing list this week, helping wannabe hackers generate the backdoor's dynamic password. FortiOS SSH backdoor can be then accessed via the Fortimanager_Access username.
While the initial report was vague, the infosec community on Reddit and Hacker News has managed to narrow down affected FortiOS versions to the 4.x branch up to 4.3.16, and the 5.x branch up to 5.0.7.
Anyone with "Fortimanager_Access" username and a hashed version of the "FGTAbc11*xy+Qqz27" password string, which is hard coded into the firewall, can login into Fortinet's FortiGate firewall networking equipment. According to the company's product details, this SSH user is created for challenge-and-response authentication routine for logging into Fortinet's servers with the secure shell (SSH) protocol.
Sysadmin shouldn't expose their firewall SSH port to the Internet but it happens and still this backdoor can be exploited if an attacker gains access to the local network or a virtual LAN by infecting an organization's PC.
If this happens, the attacker can access a Fortinet network security equipment by logging in using the "Fortimanager_Access" username and a hashed version of the "FGTAbc11*xy+Qqz27" string as password. This user may be tied to Fortinet's FortiManager product, advertised by the company as "an easy to use, centralized, 'single pane of glass' management console." As Rik van Duijn noticed, "the FortiGate backdoor gives a variable that is then used to create a base64 string for authentication."
Another explanation for the username/password combo was provided by Evan Anderson: "It's a custom SSH authentication method invoked with a special username, 'Fortimanager_Access.' The protocol is a weak 'challenge/response' using hash of the challenge concatenated with a string (used in multiple firmware versions and not at all unique to the device)."
A Reddit user mentioned that there might be a connection between the backdoor's disappearance and a critical security bug (CVE-2014-2216) that Fortinet fixed back in 2014 (confirmed, see below). The same Reddit user also discovered that anyone using this backdoor account does not appear in the device's access logs. This seems to confirm that the backdoor might be tied to the FortiManager maintenance platform.
"It keeps working even if you disable 'FMG-Access,'" he said after trying to disable the user/FortiManager (still not clear which one he meant). "It won't let you define an admin user with the same name to mitigate it, so make sure that SSH access on your devices is at least restricted to trusted hosts."
Fortinet, on its part, attempted to explain why its products were shipped with hard coded SSH logins. According to the company, its internal team fixed this critical security bug CVE-2014-2216 (mentioned above) in version 5.2.3 back in July 2014, without releasing any advisory.
At first FortiGuard center team issued a short statement suggesting SysAdmin to upgrade FortiOS branch 4.3 and 5.0 as soon as possible as well as giving a quick workarounds:
Disable admin access via SSH on all interfaces, and use the Web GUI instead, or the console applet of the GUI for CLI access.
This information was followed by a brief statement regarding issues found with FortiOS.