SSH backdoor discovered in Fortinet FortiOS firewalls

Within a month's span since Juniper Network found an unauthorised backdoor in their Netscreen firewall, researchers from all over the globe have been working hard and have found similar faulty codes in Juniper's top competitor Fortinet.

This code comprises of a certain "challenge and response" authentication routine in order to log in to the server with an enabled secure shell (SSH) protocol. A hard-coded password for FGTAbc11*xy+Qqz27 was extracted by researchers after reviewing it when it was exploited and the code was later posted online on Saturday. On Tuesday, a researcher claimed that by using the exploited code, one can gain access to a server running Fortinet's FortiOS software.

According to Ralf-Philipp Weinmann, a security researcher who contributed in unraveling the innerworkings of the Juniper vulnerability, took to Twitter on Tuesday and has been continuously referring to the custom SSH authentication as a "backdoor." In one of his posts, he confirmed that he was able to make the backdoor work as reported for older versions of FortiOS.

According to the exploited code, the undisclosed authentication worked from versions 4.3, up to 5.0.7. If the days stand undisputed, the surreptitious access method would active in FortiOS versions as well in the current 2013 and 2014 time frame and possibly earlier. The vulnerability was eventually patched, but still, researchers are unable to locate a security advisory that could disclose the alternative authentication method or the hard-coded password. While one researcher started that the exploit no longer works in version 5.2.3, the release is still suspicious as it contained the same hard-coded string.

"So a lot of parts of this auth mechanism are still in the later firmware," said the researcher, who requested to be anonymous. The most recent version of FortiOS 5.4.0, was released this month.