MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
01/25/2016 - Updated
Vulnerability in Fortinet FortiOS Could Allow Unauthorized Remote Access
A vulnerability has been discovered in Fortinet FortiOS that could allow unauthorized remote administrative access to the device if the device has “Administrative Access” enabled for SSH. FortiOS is the operating system used by FortiGate network security platforms. Successful exploitation could lead to remote administrative access of an impacted FortiOS device.
Exploit script freely available on the Internet.
FortiOS versions 4.3.0 to 4.3.16
FortiOS versions 5.0.0 to 5.0.7
January 23 - UPDATED SYSTEMS AFFECTED:
FortiAnalyzer: 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
FortiSwitch: 3.3.0 to 3.3.2
FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
FortiOS 4.1.0 to 4.1.10
FortiOS 4.2.0 to 4.2.15
Large and medium government entities: High
Small government entities: High
Large and medium business entities: High
Small business entities: High
Home users: N/A
A vulnerability has been discovered in Fortinet FortiOS that could allow unauthorized, remote administrative access to the device if the device has “Administrative Access” enabled for SSH. Successful exploitation could lead to remote administrative access of an impacted FortiOS device.
The vulnerability identified could lead to remote administrative access via SSH of a FortiOS device, resulting in the complete compromise of the impacted system. A hard-coded password exists in the firewall software that would allow a remote attacker to login with full administrative access to the device by using the “Fortimanager_Access” username and a hashed version of the string “FGTAbc11*xy+Qqz27” as the password.
We recommend the following actions be taken:
Disable administrator access over SSH on all the network interfaces of the device and use the Web GUI or console applet for the GUI instead.
In cases where SSH access is necessary in FortiOS 5.x versions, restrict SSH access to minimal set of pre-authorized IP addresses.
Apply appropriate patches provided by Fortinet to vulnerable systems immediately after appropriate testing.
January 23 - UPDATED REFERENCES: