Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

fortigate-tech-support user

Hi,

a strange thing happened to me today.


My home firewall 40F (7.2.1) rebooted unexpectedly.
I looked in the log and found that the reboot was done by the user "fortigate-tech-support" and the reason was a firmware upgrade (7.2.1->7.2.2)

In system/Administrator this user was created and I don't know about it.
My admin password is set to 17 characters (including special characters) and another administrator has an equally strong password.
FortiGate is added to FortiCloud.
Passwords remained unchanged, all configuration looks ok.

 

How should I explain it? I'm assuming it's not a trusted event... or is it something to do with the new CVE?

 

Thank you.

Jirka
log2.pnglog1.png

13 REPLIES 13
Jirka1
Contributor III

Ok,

according to this it is exactly the CVE problem - https://www.fortiguard.com/psirt/FG-IR-22-377


What are the best practices for this (other than upgrading to a patched version)?
Besides the user "fortigate-tech-support" that I deleted, is there anything else to watch out for? I checked the configuration several times (using PSpad) and found nothing out of the ordinary.


Thank you.

Jirka1
Contributor III

And one more question: the passwords are encrypted in the configuration file. If someone downloads the configuration file, is it possible to decrypt these passwords?

Jirka1
Contributor III

faz.png

aahmadzada
Staff
Staff

Greetings,

 

I would strongly recommend opening a case with TAC to take further steps.

 

Ahmad

 

Ahmad
Jirka1
Contributor III

Thanks,

ticket created.

 

J.

kanes391

Hi @Jirka1 - what was reported by Fortigate.

umar1
New Contributor II

Got any updates?


Is this a new vulnerability? Because https://www.fortiguard.com/psirt/FG-IR-22-377 advise doing a firmware upgrade to 7.0.7. 

 

But the thing is we got the same admin account 'fortigate-tech-support' logged in to the firewall and performed a firmware upgrade to 7.0.7.

 

As of know, we got 3 cases with 'fortigate-tech-support' account involved.

 

U
U
umar1
New Contributor II

Wonder why the attacker exploit it and do the firmware upgrade to mitigate https://www.fortiguard.com/psirt/FG-IR-22-377.

 

Unsung hero?

U
U
Amar1
New Contributor

Same thing happend on my firewall also, anything suspicious..

Labels
Top Kudoed Authors