Cybersecurity , Network & Perimeter , Technology

Fortinet Refutes SSH 'Backdoor' Report

Researcher's Warning Comes After Juniper Finds 'Unauthorized Code' in its Firmware
Fortinet Refutes SSH 'Backdoor' Report

Fortinet, which sells networking and security equipment, refutes a researcher's assertions that there is a "backdoor" in the FortiOS firmware that runs its devices.

See Also: 12 Top Cloud Threats of 2016

The presence of the alleged backdoor was first announced Jan. 9 in a post to the Full Disclosure mailing list, which warned that there was an "SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7." On Jan 12, meanwhile, Ralf-Philipp Weinmann, a research associate at the Interdisciplinary Center for Security, Reliability and Trust of the University of Luxembourg, said via Twitter: "FortiOS backdoor confirmed working."

But Fortinet, in a Jan. 12 blog post, claims that "this was not a 'backdoor' vulnerability issue but rather a management authentication issue," and that it was both publicly disclosed and patched in July 2014. "The issue was identified by our product security team as part of their regular review and testing efforts," it adds.

The FortiOS warning comes at a delicate time for the U.S. networking industry. Last month, Juniper Networks reported that it had found "unauthorized code" in the ScreenOS firmware that runs on its NetScreen enterprise firewalls, which attackers could use to silently bypass authentication on the devices - to remotely log in - as well as decrypt VPN traffic (see Who Backdoored Juniper's Code?). Juniper has released ScreenOS updates that it says mitigate related vulnerabilities.

But after reviewing ScreenOS more fully, security experts discovered a third flaw, involving the use of the Dual_EC random-number-generator algorithm, which is known to have been backdoored by the U.S. National Security Agency. Juniper has promised to remove Dual_EC in a future version of its firmware, to be issued before mid-year. But until that happens, some security experts say they wouldn't trust ScreenOS to be secure.

Networking Vendors Review Firmware

In the wake of Juniper's warning, Cisco said that it would launch an in-depth review of its firmware code to look for signs of tampering, and Information Security Media Group queried 12 other leading networking vendors, asking if they too were responding (see Cisco Reviews Code After Juniper Backdoor Found).

A Fortinet spokeswoman immediately responded, saying that her company has processes in place to help prevent, detect and eradicate any unauthorized code that might get inserted in its firmware. "In addition to ISO industry-leading best practices, we have implemented and comply with an in-depth, rigorous review process that includes multiple tiers of inspection, internal and third-party audits and automated triggers and tools across the entire development of our source code," she said. "We regularly evaluate our review processes and are confident that we have taken proper measures to ensure the integrity and protection of our operating code and platform."

Fortinet: No Signs of Tampering

Following the Juniper firmware revelations, of course, if a backdoor was discovered in Fortinet's code, it would suggest that many more networking vendors might also have "unauthorized code" backdoors. "If FortiOS also has a SSH backdoor, then whoever put the SSH backdoor there either got to both Juniper and Fortinet developers, or it's GCHQ/NSA asking for a 'friendly and voluntary' backdoor and getting it," says information security consultant Claus Cramon Houmann of ImproveIT Consulting, in a blog post.

If a second backdoor of questionable origin was found, it could also "turn out to be very damaging for the U.S. appliance/firewall industry," he said. "So let's hope it's a hoax."

In fact, Fortinet says that "after careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external." With the company having released related patches in 2014, it says users of the following firmware versions are protected against the flaw:

  • FortiOS v4.3.17 - released July 9, 2014 - and later version 4.3
  • FortiOS v5.0.8 - released July 28, 2014 - and later version 5.0
  • FortiOS v5.2
  • FortiOS v5.4

For anyone using a vulnerable version, however the company says that it "recommends you immediately update your FortiOS product."

War of Words

Despite Fortinet's comments, a war of words broke out over Twitter, with some information security experts, including Dan Kaminsky, chief scientist of anti-malware firm White Ops, warning that in the right hands, a "management authentication issue" would make a great backdoor for attackers.

Likewise, offensive security expert Robert David Graham, who heads research firm Errata Security, said via Twitter: "We've been calling hard-coded passwords 'backdoors' for decades, even though their intent was usually benign," for example because they were designed for debugging or customer-support purposes.

Broken Feature

But Rik van Duijn, an information security expert who works with security firm DearBytes in Amsterdam, says the flaw appears to relate to an appliance-to-appliance management feature.

He described it as a "broken feature," rather than a backdoor.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network