Just one month after its competitor, Juniper, revealed that it had discovered unauthorised code on its Netscreen line of security devices, Fortinet has also come under suspicion of hosting suspect code.
Indeed, researchers examining Fortinet’s code discovered within a challenge and response routine for SSH authentication, a hidden hardcoded password. The effect of this hard-coded password, said to be "FGTAbc11*xy+Qqz27" would be to open a backdoor into the device.
The code appears to be on all versions of FortiGate OS versions 4.3 to 5.0.7. In order to verify their claims researchers posted screenshots of successful exploits against Fortinet's OS using this hidden password to gain remote access to the device.
In a statement, Fortinet officials rejected the backdoor characterisation: "This issue was resolved and a patch was made available in July 2014 as part of Fortinet¹s commitment to ensuring the quality and integrity of our codebase. This was not a "backdoor" vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external. All versions of FortiOS from 5.0.8 and later as well as FortiOS 4.3.17 and later are not impacted by this issue.”
However, whether the code was unauthorised or not it did have exactly the same effect as a backdoor, and was present in Fortinet’s older OS (4.3 – 5.07) for several years.
Photo credit: Spectral-Design / Shutterstock