
SSH Backdoor found in Fortinet firewalls - afreak
http://seclists.org/fulldisclosure/2016/Jan/26
======
EvanAnderson
It's a custom SSH authentication method invoked with a special username,
"Fortimanager_Access". The protocol is a weak "challenge/response" using hash
of the challenge concatenated with a string (used in multiple firmware
versions and not at all unique to the device).

~~~
dawnbreez
So they have an account that has one password that can bypass this firewall on
any device?

Does this sound familiar?

~~~
laotzu
Juniper back door #1?

~~~
dawnbreez
I was thinking NSA, actually.

------
godzillabrennus
This is why [http://Pfsense.com](http://Pfsense.com) should get even more
coverage on here than it does. Chris and his team do an incredible job of
creating secure open firewall software.

~~~
vex
Their software is good, but their hardware? Awful. PFsense doesn't know how to
do reliable hardware at all.

~~~
alsetmusic
I own the SG-4860 and it's been solid for about eight months. It's the first
hardware I've purchased from them and I have no regrets.

[https://www.pfsense.org/products/product-
family.html](https://www.pfsense.org/products/product-family.html)

~~~
snuxoll
Do you have any experience with the lower end SG-2220? I'm looking at
replacing the Aspire Revo AR1600 I've hacked into a firewall at my aunt's shop
running Sophos UTM with something that doesn't require a USB NIC, it looks
like a pretty good value at the price.

------
nickpsecurity
This is why high-assurance security products were/are required to have:

1\. Clear description of every feature and requirement in system.

2\. Mathematical spec of those where English ambiguity could effect results.

3\. High level design with components that map 1-to-1 to those.

4\. Low-level, simple, modular code mapping to that.

5\. Source-to-object code verification or ability to generate from source on-
site.

What people in faux security mocked as mere "paperwork" or "red tape" were
actually pre-requisites for defeating subversion my mentally understanding a
system from requirements all the way to code. A problem like this would've
been impossible in such a system because it would be beyond obvious and
_probably_ unjustifiable with requirements tracing.

Every story like this further validates the methods that consistently produced
systems without all the security problems plaguing modern security products.
Situation isnt inevitable or even necessary: merely an inversion of scientific
method where security companies and professionals consistently refuse to use
what's proven to help and reuse tactics proven to fail. It's gotta stop.

That it wont is why I favor liability legislation tied to a reasonable
baseline of practices. We can use an inexpensive subset of what worked in
highly assured systems. 80/20 rule. Baseline would look more like Secure64 or
HYDRA firewall than shit like Fortinet and Juniper. Hackers would _work_ for
exploits. I know Im dreaming, though, as DOD and NSA just dropped mandate to
EAL1 w/ 90 day review for some stuff. (Rolls eyes).

~~~
munin
> 2\. Mathematical spec of those where English ambiguity could effect results.

What does a mathematical specification of "secure" look like?

~~~
nl
See [https://sel4.systems](https://sel4.systems)

~~~
munin
that's a proof that the system corresponds to a specification though

~~~
nickpsecurity
That's right: a formal specification, formal security model, and proof the
spec implements it. An implementation formally proven to implement that spec
will then posses the security property unless done in by stuff not covered by
that model.

Which is where EAL6/7's other assurance activities come in.

------
eeZi
See relevant thread in r/netsec:
[https://www.reddit.com/r/netsec/comments/40lotk/ssh_backdoor...](https://www.reddit.com/r/netsec/comments/40lotk/ssh_backdoor_for_fortigate_os_version_4x_up_to/)

> It leaves no traces in any logs (wtf?). It keeps working even if you disable
> "FMG-Access". It won't let you define an admin user with the same name to
> mitigate it, so make sure that SSH access on your devices is at least
> restricted to trusted hosts!

~~~
BlackFly
The interesting thing from that thread is that it appears it has been patched
years ago. Then again, maybe they only changed the "password" in the newer
versions.

------
matt_wulfeck
Open hardware and open source. It's our only path. In my opinion the best way
for this to happen is to make it part of the government procurement process,
that will inject cash into the ecosystem.

I really believe this has already begun with the FANG[0] tech giants with Open
Hardware initiatives. At some point you can begin pooling your resources to
create safe, secure, and fast platforms that everyone can use.

[0] facebook, amazon, netflix, google

------
tptacek
This probably isn't as bad as Juniper's, because you don't generally get
external SSH access to a Fortinet box.

~~~
venomsnake
I think the main problem is the companies attitude towards the security of
their problems. What else is in there?

Credibility is in a way binary - you either have it or don't.

~~~
ecnepsnai
I fail to see how Fortinet had a bad attitude towards this issue. It was
found, and fixed, 18 months ago before any of this information was released
publicly.

~~~
venomsnake
The existence of the issue in the first place.

------
arca_vorago
Another one bites the dust. I'm ready for more though, because it is
vindicating my position on FOSS. While FOSS isn't a panacea, at least you can
read the code!

~~~
0x0
Like heartbleed, gotofail, or the debian ssl entropy bug? :)

~~~
daveloyall
Not at all. Those were bugs. This is/was a feature.

For this, there'd have to be a specific function in some Fortinet products for
handling the special challenge/response backdoor.

A magic string like `"FGTAbc11*xy+Qqz27"` in firewall source code is going to
jump out at you. Unlike an extra goto...

~~~
0x0
How do you know those were bugs and not features? ;)

------
sschueller
Nice, who's next?

Maybe it is time we build open hardware and software for important things.
Can't trust anyone.

Doing audits of open hard and software is a whole other problem however.

~~~
bjornsing
It's mostly software backdoors we've been seeing lately, no?

(It could of course be that nobody's finding the h/w ones...)

~~~
DINKDINK
P(A|B) =/= P(B|A)

------
Daviey
I almost had a reallllllly.. bad day. Thankfully, it is only version 4.x up to
5.0.7.

~~~
Cuuugi
Me too, 5.2 phew

------
perna_m
official statement from Fortinet
[http://ftnt.net/1TTc1Bz](http://ftnt.net/1TTc1Bz)

------
zymhan
Can someone provide some context? A python script alone is kind of hard to
decipher.

~~~
coldpie
Just reading the code, it looks like it connects to an SSH session with the
name Fortimanager_Access and does some special handling of the password
request (see custom_handler) which grants access. Once that's complete, it
turns control over to you to type and run commands on the firewall.

I don't quite understand the special handling. Looks like it takes a byte from
the server's output, hashes a special string containing that byte, and passes
that back to the server. This is the backdoor.

Edit: Maybe that "special handling" is just standard protocol and it's just
sending a plaintext password. I dunno.

~~~
001spartan
It uses a kind of challenge/response, where the device provides a salt that is
used with a hardcoded password for that account. It seems to look like 'AK1'
\+ base64(salt|SHA1(salt|password|Fortinet magic)) according to
[http://fossies.org/linux/john/src/FGT_fmt_plug.c](http://fossies.org/linux/john/src/FGT_fmt_plug.c),
a cracker for Fortigate passwords.

------
exo762
Hugged to death. Archive link:

[https://archive.is/WU8l3](https://archive.is/WU8l3)

------
INTPenis
These backdoors in the news lately - Juniper and now Fortigate - are scary,
but thinking back on 10 years in IT I've never operated in a network where SSH
on network equipment was accessible to anyone without intranet access through
either physical location or VPN.

On top of that I am now in an organization where we're starting to implement
security levels on networks, anything above level 0 requires 2FA to access and
you can never connect a lower level to a higher level. So best practices are a
good thing.

~~~
Animats
_" I've never operated in a network where SSH on network equipment was
accessible to anyone without intranet access through either physical location
or VPN."_

Doesn't help. The attacker just has to get user-level access on some machine
on the intranet or in the data center, which can be obtained via other
attacks. Then then can attack other machines via the local network to
escalate.

~~~
INTPenis
Yes but best practices still apply for example client networks in office do
not by default have access to network equipment.

This is where VPN services like Junos (ironically Juniper) work well because
they give you 2FA and group based access. So if you're not in the networking
admins group then you have no reason to have SSH access to the networking
equipment.

~~~
Animats
The weakest application in your server farm can provide a way into the local
network. One of the reasons Amazon uses their own software-defined network
switches is so they can limit internal connectivity within their "cloud" to
prevent such attack escalation.

------
ausjke
that's a shame but we're used to it these days I guess.

if you want to do backdoor probably should do it better, something like port
knocking to start with at least.

~~~
stcredzero
_if you want to do backdoor probably should do it better, something like port
knocking to start with at least._

Come to think of it, backdoors are fundamentally "security by obscurity". Or
insecurity through obscurity, depending on your POV.

~~~
Someone1234
> Come to think of it, backdoors are fundamentally "security by obscurity". Or
> insecurity through obscurity, depending on your POV.

This one is. But they aren't always.

For example, if a manufacturer put in a support/recovery backdoor, documented
it, and utilised a secret that only the end user and manufacturer should know
(e.g. something on the physical label), then that would be a backdoor while
not relying on any obscurity for its security (or no more than a password
does).

The biggest difference between a "good" backdoor and a "bad" one is if it is
documented. If the manufacturer is too scared to document it then it likely
sucks and they know it.

------
HNaTTY
This script worked for me once I enabled SSH on the lan interface on my
FortiGate 100D running 5.0. But the only command that seemed to do anything is
"exit". Everything else gave an "Unknown Action 0".

------
hoodoof
But think of the upside - so many terrorists were probably caught because this
code existed. We must fight to ensure all firewalls have back doors or face a
true terrorism threat.

------
jorge-fundido
Maybe backdoor was a bad way to describe it? Maybe it's used as a customer-
initiated support channel for when the customer wants the vendor to access the
device.

~~~
eeZi
Fortinet support just uses TeamViewer or Webex when they need access to a
device, or you create an account for them.

Source: Fortinet admin

~~~
Smushman
Yes - if it isn't obvious (which is should be to anyone here) this was
probably used as an beta method for a control/communication channel protocol,
Probably inter device only (not meant for a user or support). Built by a
programmer who was told to 'get the communication working for this new feature
we want to implement'. So he hacked open a hole with a very large cudgel where
he should have used a scalpel.

