100271170

Infosec pros whose organizations use certain versions of Fortinet’s firewall operating system are being warned to update the OS after a high risk vulnerability was disclosed.

Those with the FortiGate firewall using FortiOS 4.3.0 to 4.3.16 or FortiOS 5.0.0 to 5.0.7 have to update immediately to fix a hole that could allow remote console access to vulnerable devices with “Administrative Access” enabled for SSH, according to the company’s blog.

Currently supported branches (FortiOS 5.2 and 5.4) are not affected by the problem.

The warning comes after a person alleged Saturday on the Full Disclosure website there is an SSH backdoor into the firewall’s operating system and posted details on how it can be exploited.

That prompted Fortinet yesterday to issue a statement saying the “recent issue that was disclosed publicly was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase. This was not a “backdoor” vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts.

“After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

It said the problem was patched in July 2014 for many versions of FortiOS. Organizations with v4.3.17 or any later version of FortiOS v4.3 (available as of July 9, 2014), FortiOS v5.0.8 or any later version of FortiOS v5.0 (available as of July 28, 2014), and any version of FortiOS v5.2 or v5.4 are therefore not affected by the vulnerability.

According to The Hacker News,  this opening was created for challenge-and-response authentication routine for logging into Fortinet’s servers with the secure shell (SSH) protocol. System administrators can also make use of this exploit code to automate their testing process in an effort to find out whether they have any vulnerable FortiGuard network equipment, it says.

“The most important fact to be noted here is anyone using this backdoor account doesn’t appear in the device’s access logs, as the backdoor might be tied to its FortiManager maintenance platform,” says the news report. “Also, there is less chance with professional sysadmins to expose their SSH port online, but this backdoor account can still be exploited by attackers with access to the local network or a virtual LAN, by infecting an organization’s computer.”
As the Hacker News notes, by coincidence this report comes shortly after Juniper Networks acknowledged last month the discovery of unauthorized code in its ScreenOS — used in Juniper NetScreen enterprise firewalls — that could allow a knowledgeable attacker to gain administrative access to the devices and to decrypt VPN connections. Patches for various versions of ScreenOS were issued Dec. 20.

The issue is another reminder that system administrators have to ensure they are running the latest versions of critical infrastructure such as firewalls,