Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MikeU
New Contributor

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

http://seclists.org/fulldisclosure/2016/Jan/26

 

I have not had a chance to try this. I don't see any threads discussing it. So, I thought I'd share.

 

=Mike
=Mike
25 REPLIES 25
emnoc
Esteemed Contributor III

yeap I agreed 100%

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
simonorch

I agree...however, i would also question allowing SSH, or any admin access from an insecure or untrusted source. But then again, it's not the script kiddies who've found out about this that are the problem. It's the nation states with the resources to carry out sophisticated attacks against personnel who do have admin access to systems that is\was the concern, ideal for intelligence gathering.

 

 

 

 

ede_pfau

My impression is that this access path was found by scrutinizing the firmware image, thus, by an 'insider'.

Anyway, the whole concept was so silly you couldn't believe it. The loss of trust is a deep cut.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
netmin

At least...this 'concept' or its remainder appears now (5.2.6 VM) to be removed completely, whereas 5.2.5 (VM) presented at least a similar mimic (functional or not) when connecting via putty/ssh using the named account.

ede_pfau

I don't quite understand your statement. A backdoor is only relevant if it is "functional", ie. permitting access to unauthorized people.

Besides, this kind of access does not use the standard ssh protocol, so access via putty wouldn't work in any case.

Fortinet states that v5.2 never has had this 'feature'.

 

So, what about your statement - are you saying you have been able to gain access using the BD credentials, in v5.2 and using putty?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
netmin

Hi Ede,

 

certainly not, but without knowing in detail what had actually been changed...when connecting to 5.0.6 and when connecting to 5.2.5 using putty, it looks like the attached picture. This does no longer work on 5.2.6 and is a strong indication that it has been removed.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors