Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Created on ‎10-16-2022 09:22 AM

fortigate-tech-support user

Hi,

a strange thing happened to me today.


My home firewall 40F (7.2.1) rebooted unexpectedly.
I looked in the log and found that the reboot was done by the user "fortigate-tech-support" and the reason was a firmware upgrade (7.2.1->7.2.2)

In system/Administrator this user was created and I don't know about it.
My admin password is set to 17 characters (including special characters) and another administrator has an equally strong password.
FortiGate is added to FortiCloud.
Passwords remained unchanged, all configuration looks ok.

 

How should I explain it? I'm assuming it's not a trusted event... or is it something to do with the new CVE?

 

Thank you.

Jirka
log2.pnglog1.png

Labels:
11783
14 REPLIES 14
Jirka1
Contributor III

Created on ‎10-16-2022 11:00 AM

Ok,

according to this it is exactly the CVE problem - https://www.fortiguard.com/psirt/FG-IR-22-377


What are the best practices for this (other than upgrading to a patched version)?
Besides the user "fortigate-tech-support" that I deleted, is there anything else to watch out for? I checked the configuration several times (using PSpad) and found nothing out of the ordinary.


Thank you.

9101
0 Kudos
Jirka1
Contributor III

Created on ‎10-16-2022 11:48 AM

And one more question: the passwords are encrypted in the configuration file. If someone downloads the configuration file, is it possible to decrypt these passwords?

9090
0 Kudos
Jirka1
Contributor III

Created on ‎10-16-2022 04:11 PM

faz.png

9054
0 Kudos
aahmadzada
Staff
Staff

Created on ‎10-17-2022 12:59 AM

Greetings,

 

I would strongly recommend opening a case with TAC to take further steps.

 

Ahmad

 

Ahmad
8955
0 Kudos
Jirka1
Contributor III

Created on ‎10-17-2022 01:00 AM

Thanks,

ticket created.

 

J.

8953
0 Kudos
kanes391
New Contributor
In response to Jirka1

Created on ‎10-19-2022 12:28 AM

Hi @Jirka1 - what was reported by Fortigate.

8379
0 Kudos
umar1
New Contributor II
In response to Jirka1

Created on ‎10-19-2022 02:38 AM

Got any updates?


Is this a new vulnerability? Because https://www.fortiguard.com/psirt/FG-IR-22-377 advise doing a firmware upgrade to 7.0.7. 

 

But the thing is we got the same admin account 'fortigate-tech-support' logged in to the firewall and performed a firmware upgrade to 7.0.7.

 

As of know, we got 3 cases with 'fortigate-tech-support' account involved.

 

U
U
8318
0 Kudos
umar1
New Contributor II
In response to umar1

Created on ‎10-19-2022 02:40 AM

Wonder why the attacker exploit it and do the firmware upgrade to mitigate https://www.fortiguard.com/psirt/FG-IR-22-377.

 

Unsung hero?

U
U
8315
Amar1
New Contributor

Created on ‎10-17-2022 12:17 PM

Same thing happend on my firewall also, anything suspicious..

8722
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.