Scans for Fortinet devices have intensified. An unknown group has been scanning the Internet for old Fortinet equipment that includes a secret SSH backdoor account that can be exploited to take over the devices.
Ten days ago, an anonymous user posted a full disclosure regarding a hidden account that was included in Fortinet’s FortiOS, on versions from the 4.x series up to and including 4.3.16, and the 5.x series up to and including version 5.0.7.
The announcement was accompanied by proof-of-concept code that allowed security researchers to scan their equipment for the backdoor’s presence and even connect to the backdoor account.
Internet scans for FortiOS equipment have intensified in the past days
According to Jim Clausing of the SANS Internet Storm Center, based on logs submitted by various infosec professionals, somebody has been scanning the Internet for vulnerable Fortinet devices.
“We’ve seen an increase in scanning for those devices in the days since the revelation of the vulnerability,” Mr. Clausing says. “Nearly all of this scanning has come from two IPs in China (220.127.116.11 and 18.104.22.168).”
Mr. Clausing goes on to recommend that sysadmins apply the patches provided by Fortinet as soon as possible, or that they put firewall rules in front of the device and limit access to the SSH port from external connections.
Fortinet internal audit discovers the same SSH backdoor in other products
The day after the SSH backdoor incident broke in the press, Fortinet acknowledged its presence and quickly released patches to protect vulnerable devices.
Fortinet’s backdoor never affected FortiOS’ recent versions and was removed in 2014, when Fortinet fixed an adjacent security bug. Nevertheless, older versions of the FortiOS still had the SSH backdoor in their firmware.
Applying Fortinet’s patches allows sysadmins to continue to run older FortiOS versions and avoid being pwned by any script kiddie with an Internet connection.
In a blog post published yesterday, following an internal audit, Fortinet also disclosed that, besides FortiOS, the company identified other products with the exact same backdoor. These are:
→ FortiAnalyzer: 5.0.0 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
→ FortiSwitch: 3.3.0 to 3.3.2
→ FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
Patches are available for all the affected versions, even if some of them reached end-of-life phases many months before.
As Fortinet explains, the SSH backdoor was never an intent to spy on its clients but was only the result of bad design in the implementation of its FortiManager centralized administration protocol.