Fortinet Refutes SSH 'Backdoor' ReportResearcher's Warning Comes After Juniper Finds 'Unauthorized Code' in its Firmware
Fortinet, which sells networking and security equipment, refutes a researcher's assertions that there is a "backdoor" in the FortiOS firmware that runs its devices.
The presence of the alleged backdoor was first announced Jan. 9 in a post to the Full Disclosure mailing list, which warned that there was an "SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7." On Jan 12, meanwhile, Ralf-Philipp Weinmann, a research associate at the Interdisciplinary Center for Security, Reliability and Trust of the University of Luxembourg, said via Twitter: "FortiOS backdoor confirmed working."
But Fortinet, in a Jan. 12 blog post, claims that "this was not a 'backdoor' vulnerability issue but rather a management authentication issue," and that it was both publicly disclosed and patched in July 2014. "The issue was identified by our product security team as part of their regular review and testing efforts," it adds.
The FortiOS warning comes at a delicate time for the U.S. networking industry. Last month, Juniper Networks reported that it had found "unauthorized code" in the ScreenOS firmware that runs on its NetScreen enterprise firewalls, which attackers could use to silently bypass authentication on the devices - to remotely log in - as well as decrypt VPN traffic (see Who Backdoored Juniper's Code?). Juniper has released ScreenOS updates that it says mitigate related vulnerabilities.
But after reviewing ScreenOS more fully, security experts discovered a third flaw, involving the use of the Dual_EC random-number-generator algorithm, which is known to have been backdoored by the U.S. National Security Agency. Juniper has promised to remove Dual_EC in a future version of its firmware, to be issued before mid-year. But until that happens, some security experts say they wouldn't trust ScreenOS to be secure.
Networking Vendors Review Firmware
In the wake of Juniper's warning, Cisco said that it would launch an in-depth review of its firmware code to look for signs of tampering, and Information Security Media Group queried 12 other leading networking vendors, asking if they too were responding (see Cisco Reviews Code After Juniper Backdoor Found).
A Fortinet spokeswoman immediately responded, saying that her company has processes in place to help prevent, detect and eradicate any unauthorized code that might get inserted in its firmware. "In addition to ISO industry-leading best practices, we have implemented and comply with an in-depth, rigorous review process that includes multiple tiers of inspection, internal and third-party audits and automated triggers and tools across the entire development of our source code," she said. "We regularly evaluate our review processes and are confident that we have taken proper measures to ensure the integrity and protection of our operating code and platform."
Fortinet: No Signs of Tampering
Following the Juniper firmware revelations, of course, if a backdoor was discovered in Fortinet's code, it would suggest that many more networking vendors might also have "unauthorized code" backdoors. "If FortiOS also has a SSH backdoor, then whoever put the SSH backdoor there either got to both Juniper and Fortinet developers, or it's GCHQ/NSA asking for a 'friendly and voluntary' backdoor and getting it," says information security consultant Claus Cramon Houmann of ImproveIT Consulting, in a blog post.
If a second backdoor of questionable origin was found, it could also "turn out to be very damaging for the U.S. appliance/firewall industry," he said. "So let's hope it's a hoax."
In fact, Fortinet says that "after careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external." With the company having released related patches in 2014, it says users of the following firmware versions are protected against the flaw:
- FortiOS v4.3.17 - released July 9, 2014 - and later version 4.3
- FortiOS v5.0.8 - released July 28, 2014 - and later version 5.0
- FortiOS v5.2
- FortiOS v5.4
For anyone using a vulnerable version, however the company says that it "recommends you immediately update your FortiOS product."
War of Words
Despite Fortinet's comments, a war of words broke out over Twitter, with some information security experts, including Dan Kaminsky, chief scientist of anti-malware firm White Ops, warning that in the right hands, a "management authentication issue" would make a great backdoor for attackers.
@mdowd Intent totally matters in whether something is a backdoor.ï¿½ Dan Kaminsky (@dakami) January 12, 2016
Likewise, offensive security expert Robert David Graham, who heads research firm Errata Security, said via Twitter: "We've been calling hard-coded passwords 'backdoors' for decades, even though their intent was usually benign," for example because they were designed for debugging or customer-support purposes.
But Rik van Duijn, an information security expert who works with security firm DearBytes in Amsterdam, says the flaw appears to relate to an appliance-to-appliance management feature.
He described it as a "broken feature," rather than a backdoor.