Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Networking Security

SSH Backdoor Found In Fortinet Firewalls (arstechnica.com) 71

An anonymous reader writes: The IT community was shaken a few weeks ago when Juniper Networks firewalls were found to contain "unauthorized code" that seemed to enable a backdoor. Now, Fortinet firewalls have been found to contain an apparent SSH backdoor as well. "According to the exploit code, the undisclosed authentication works on versions 4.3 up to 5.0.7. If correct, the surreptitious access method was active in FortiOS versions current in the 2013 and 2014 time frame and possibly earlier, based on this rough release history. The weakness was eventually patched, but so far, researchers have been unable to locate a security advisory that disclosed the alternative authentication method or the hard-coded password." A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."
This discussion has been archived. No new comments can be posted.

SSH Backdoor Found In Fortinet Firewalls

Comments Filter:
  • So did Juniper. Wonder when we hear from sonicwall. I won't hold my breath.
    • Maybe when sonicwall was sonicwall... maybe....

      But now that they are Dell owned? No chance.... Dell has acquired so much so fast that they don't have any idea what they even have....

    • by Anonymous Coward

      when Juniper Networks firewalls were found to contain

      You mean when NETSCREEN firewalls were found. Juniper purchased Netscreen a while back, and those piles of trash are already end of life. Juniper's own firewall product line is the SRX which was completely unaffected, as it runs an entirely different code base.

      when we hear from sonicwall. I won't hold my breath.

      That's probably a good idea, I've had indirect dealings with that company and I can say that not only does their product suck, their support is horrifically bad as well. Not quite as badly as Barracuda, but damn close.

      • Good to know. I haven't really followed Juniper. we are a large Cisco reseller. Barracuda has come a long way, still miles from what I would consider quality support, but they have to start somewhere.
      • Unfortunately SRXs also suck harder than a whore at Mardis Gras.

        • by Anonymous Coward

          Whores don't work Mardis Gras -- too many sluts giving it for free.

    • They haven't admitted they had a backdoor.
      They've only admitted they had a 'management authentication issue'.

      Just like many companies are coming under 'advanced persistent threat' attacks.
      They aren't filled with idiots who click Important Document.doc.exe from random emails. Course not!
      The attack has 'advanced' in the title!

  • by DickBreath ( 207180 ) on Tuesday January 12, 2016 @06:51PM (#51290437) Homepage
    All the other firewalls are safe. Trust the NSA. Nothing to see here. Move along.

    Hey, check out one of the new reality tv shows.
    • Hey, check out one of the new reality tv shows.

      Masterchef Junior. It's a hoot seeing Gordon Ramsey make nine year old girls cry.

  • by The-Ixian ( 168184 ) on Tuesday January 12, 2016 @06:56PM (#51290475)

    You don't need no fancy schmancy hardware device.

    • by SuricouRaven ( 1897204 ) on Tuesday January 12, 2016 @07:35PM (#51290657)

      That depends how much traffic you are shifting and how many ports you need. Using a linux or BSD box as a firewall is common now at the low end of performance - a lot of firewall appliances actually are nothing more than modified rack servers running linux and a web interface for ease of management, like Smoothwall. But if you want to put a firewall between two networks with a 20Gb/s backbone while meeting a strict latency target? You need something specialised. There's still a space for dedicated firewall appliances at the top end. They do a lot more than just iptables-like rule sets too - lots more SPI, detection and automatic blocking of IPs trying to use known vulnerabilities, logging of specified events (ie, any external IP connecting to a server on port 22), detection of port scanners. Fortinet have firewalls with 100Gb/s ports, and the routing/filtering capacity to keep up too. Hardware firewalls are still going strong at the top end - if you've got the need, you've probably got the money.

      • Those 100Gbps ports are irrelevant if you are doing DPI. The cores can't process the rules fast enough.
        • by Gr8Apes ( 679165 )

          Those 100Gbps ports are irrelevant if you are doing DPI. The cores can't process the rules fast enough.

          100Gbps I haven't seen yet, but 40Gbps exists [bivio.net]. Naturally, they're not cheap, but certainly in-line with everything else at that level.

      • If you want something that uses less power. It is as true today as ever that you can do more with less juice in an ASIC than in software. So sure, you throw a big CPU at something it can often do the trick. But maybe you don't want a big CPU and associated support hardware, maybe you have a reason to want something lower power. In that case, dedicated hardware comes in.

        Also I think many people who dis hardware firewalls have never seen really difficult networks. It isn't so much the traffic that causes trou

      • by AmiMoJo ( 196126 )

        Also, if you buy a firewall appliance you can have someone administer it for you remotely. No need to hire someone with the expertise, just pay someone else to manage your firewall and get a lowly Windows Server admin in to handle your internal stuff.

        These things aren't just a box you buy, they are a service.

    • what level does your non fancy schmancy hardware scale too? Do you really think people spend hundreds of thousands or even millions on firewalls just because it is "fancy" hardware.
  • If we listened carefully, would we hear crying at Fort Meade because they've been caught out, or is it that they've now got other ways to get what they were getting from these sources? My guess is that they won't be happy about all this coming to light, but let's not be fooled into thinking that we are ever really secure on the net.
  • Fortigategate or just plain Fortigate?

  • by gweihir ( 88907 ) on Tuesday January 12, 2016 @07:39PM (#51290667)

    Seriously, any actual security expert has been expecting things like this for a long time. The only explanation that makes sense for so few of these being found is that most vendors do not go looking in the first place...

  • LOL (Score:5, Funny)

    by JustAnotherOldGuy ( 4145623 ) on Tuesday January 12, 2016 @08:00PM (#51290751)

    A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

    Later they said, "You didn't get 'pwned', you got 'haxored'...it's like, totally different, man."

    And just for the record, I'm not "eating a potato", I'm "utilizing a starch resource with a multi-pronged utensil!"

  • Nations have to learn to stop importing complex with issues.
    Learn to fab, design your own hardware, add the code and test it. Lots of nice domestic work for years and a good secure product is created.
    The hardware might not be fast, cool running, an international standard but it will be fully understood from the chips up and be fully supported locally.
  • by Tokolosh ( 1256448 ) on Wednesday January 13, 2016 @03:24AM (#51291873)

    The reaction to these types of revelations should be the same as for the VW emissions scandal. A fired CEO, congressional FCC and FTC investigations, class-actions, naming and shaming of the individuals responsible, and the source code.

  • A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

    Hm. To me, that reads like this:

    A spokesperson for the Zeta Beta Tau chapter told El Reg, "This was not a surprise unwanted group buttsex situation but rather a dating faux pas."

    This kind of "management authentication issue" IS a backdoor...it's exactly what the term "backdoor" was created to refer to.

"The urge to destroy is also a creative urge." -- Bakunin [ed. note - I would say: The urge to destroy may sometimes be a creative urge.]