The Firewalls’ backdoor saga: Fortinet under fire

Do you remember that less than a month ago Juniper Networks was in the limelight for its backdoor in ScreenOS software? A lot of speculation was done on the case and probably the NSA was involved at some point 🙂 .

On Saturday 9th January 2016 an anonymous user sent the following email to the Full Disclosure mailing list:

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
From: <operator8203 () runbox com>
Date: Sat, 09 Jan 2016 14:48:01 -0500 (EST)

The above Python script allows to interact  with the hardware firewall via SSH using username “Fortimanager_Access” and a dynamically generated password (a hashed version of the “FGTAbc11*xy+Qqz27” password string). Both username and passwords are hardcoded in the FortiGate firmware.

Someone tried to verify the vulnerability and apparently it works:


According to the anonymous poster and a few other security researchers, Dr David D. Davidson included, this can be considered a real backdoor at the end of the day, even if FortiNet has another opinion on the case.


Fortinet published an article in which it claims that the aforementioned thing represented a vulnerability indeed but it wasn’t intended as a “backdoor”, but rather a “management authentication issue”. Apparently the SSH user was created for challenge-and-response authentication routine for logging into Fortinet’s servers with the secure shell (SSH) protocol. (A SSH user with administrative access).

Even if Fortinet was “innocent”, that wasn’t surely a good idea. A poor implementation based on security through obscurity that eventually was made public and could have been already used in the wild.

To say the truth this isn’t a 0day but rather an olday, like it was defined by someone 🙂 Fortinet says that the vulnerability made public is related to CVE-2014-2216 and a newer version that addressed the vulnerability was released without informing the end users of the “issue”.


A quick search on Shodan shows the following:


Top countries

Top countries


Top services

Top services


Top organizations

Top organizations


Top domains

Top domains


If you are using FortiOS branch 4.3 upgrade to FortiOS 4.3.17 or later.
In case you are using FortiOS branch 5.0 upgrade to FortiOS 5.0.8 or later.


* Disable admin access via SSH on all interfaces, and use the Web GUI instead, or the console applet of the GUI for CLI access.

* If SSH access is mandatory, in 5.0 one can restrict access to SSH to a minimal set of authorized IP addresses, via the Local In policies.

Did you enjoy this article?
Signup today and receive free updates straight in your inbox. We will never share or sell your email address.
I agree to have my personal information transfered to MailChimp ( more information )

Author: Fabio Baroni   Date: 2016-01-13 12:36:56

Leave a Reply

Your email address will not be published. Required fields are marked *