MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-012

DATE(S) ISSUED:
01/13/2016

SUBJECT:
Vulnerability in Fortinet FortiOS Could Allow Unauthorized Remote Access

OVERVIEW:

A vulnerability has been discovered in Fortinet FortiOS that could allow unauthorized remote administrative access to the device if the device has ³Administrative Access² enabled for SSH. FortiOS is the operating system used by FortiGate network security platforms. Successful exploitation could lead to remote administrative access of an impacted FortiOS device.

 

THREAT INTELLIGENCE:

 

Exploit script freely available on the Internet.

 

SYSTEMS AFFECTED:

 

  • FortiOS versions 4.3.0 to 4.3.16

  • FortiOS versions 5.0.0 to 5.0.7

 

RISK:

 

Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: N/A

 

TECHNICAL SUMMARY:

 

A vulnerability has been discovered in Fortinet FortiOS that could allow unauthorized, remote administrative access to the device if the device has ³Administrative Access² enabled for SSH. Successful exploitation could lead to remote administrative access of an impacted FortiOS device.

 

The vulnerability identified could lead to remote administrative access via SSH of a FortiOS device, resulting in the complete compromise of the impacted system. A hard-coded password exists in the firewall software that would allow a remote attacker to login with full administrative access to the device by using the ³Fortimanager_Access² username and a hashed version of the string ³FGTAbc11*xy+Qqz27² as the password.

 

 

RECOMMENDATIONS:

 

We recommend the following actions be taken:

 

  • Disable administrator access over SSH on all the network interfaces of the device and use the Web GUI or console applet for the GUI instead.

  • In cases where SSH access is necessary in FortiOS 5.x versions, restrict SSH access to minimal set of pre-authorized IP addresses.

  • Apply appropriate patches provided by Fortinet to vulnerable systems immediately after appropriate testing. 

 

REFERENCES:

 

Fortiguard Center:

https://www.fortiguard.com/advisory/fortios-ssh-undocumented-interactive-login-vulnerability

 

 

Security Affairs:

http://securityaffairs.co/wordpress/43551/hacking/fortinet-fortios-ssh-backdoor.html

 

Security Week:

http://www.securityweek.com/fortinet-denies-existence-malicious-backdoor-fortios