Sign in / up

back to article Thought you were safe from the Fortinet SSH backdoor? Think again

Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable. Last week, a Python script emerged that could allow anyone to get administrator-level access to some of Fortinet's firewall devices using …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

  1. This post has been deleted by its author

  2. Destroy All Monsters Silver badge
    FAIL

    "Management Authentication Issue"

    The situation whereby it's hard to authenticate management as they are all saying "it wasn't me!"

    12 0 Reply
    1. Allan George Dyer
      Reply Icon
      FAIL

      Re: "Management Authentication Issue"

      Translation:

      "wasn't a backdoor as such, we just didn't fit a lock on the front door"

      10 0 Reply
    2. Halfmad
      Reply Icon

      Re: "Management Authentication Issue"

      Username: Me?

      Password: noitwashim

      Sorry, password invalid. Please try again head of information assurance.

      0 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Crap

    They're spewing it, but do we have to eat it?. They are Backdoors, no matter why they were put there.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Terminator

      Re: Crap

      Quite. Another thing that intrigued me was:

      "Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products,"

      So, as Fortinet Inc. has fuck all clue which of its own products have been backdoored ManagementAuthenticationIssued and has had to hurriedly audit its entire inventory to find out what's ManagementAuthenticationIssued... then who's designing/configuring their kit for them? Who the hell is Fortinet's phantom negligent system architect?

      1 0 Reply
  4. Alan Brown Silver badge

    that would be the same fortinet...

    which tried to pass off Linux as its own work.

    http://www.theregister.co.uk/2005/04/29/fortinet_settles_gpl_lawsuit/

    If they tried to pull that kind of stunt once, what gives you reason to ever think they're ever trustworthy?

    10 0 Reply
    1. Anonymous Coward
      Reply Icon
      Windows

      Re: that would be the same fortinet...

      But the boxes the firewalls come in are iPhone levels of shiny!

      6 0 Reply
      1. Destroy All Monsters Silver badge
        Reply Icon

        Re: that would be the same fortinet...

        An AC with a logo? Interesting.

        Come to think of it, the shiny made it seem LESS trustworthy, not more. Like a guy with heavy, glittering rings on the fingers.

        3 0 Reply
        1. sabroni Silver badge
          Reply Icon

          Re: that would be the same fortinet...

          An AC with a logo? Why are they hiding their posting history when posting such un-controversial stuff?

          0 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Even worse

    Is the fact that you need to have a support agreement with them in order to get the update that gets rid of all these backdoors. I can understand wanting customers to pay to get new features, but getting them to pay to be safe from serious security flaws in your product - a firewall nonetheless - seems absolutely unacceptable.

    8 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Even worse

      Yup. I dumped their kit from two customer sites and have three more to go. It was less costly to get Netgate boxes (with support) and configure pfsense than to do the Fortinet support renewals.

      3 0 Reply
  6. Velv
    Facepalm

    So, let me get this straight...

    To protect my firewall, I place it behind a firewall.

    4 0 Reply
    1. Destroy All Monsters Silver badge
      Reply Icon
      Coat

      Hey, dawg! I hear you like FortiNet, so we put a firewall into your firewall so that you can backdoor while you backdoor.

      4 0 Reply
  7. Anonymous Coward
    Windows

    pfSense lacks this feature

    How on earth is pfSense expecting to be taken seriously if they lack the security basics like a backdoor?

    I've grepped the source for "backdoor" (I even used -i) and nothing came up!

    3 1 Reply
  8. Syntax Error

    Fail

    We trust these people. Another fail by the IT industry.

    2 0 Reply
  9. Juan Inamillion

    Would listening to this help?

    https://www.youtube.com/watch?v=uxX18WZ6Glw

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Would listening to this help?

      I think the Alabama Song is even more appropriate than the Back Door Man when in this "industry".

      0 0 Reply
  10. Anonymous Coward
    Anonymous Coward

    Not waving, drowning

    The intern did it - Management.

    0 0 Reply
  11. Anonymous Blowhard

    When is a backdoor not a backdoor?

    Fortinet explained that this wasn't a backdoor as such, but a "management authentication issue."

    So not so much a back door as a large hole in the wall where the actual door should be...

    0 0 Reply
  12. CPU

    Ah, the irony of having to put a firewall in front of your firewall to protect it- nice one Fortinet ;-)

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like