Overview

Where security research is concerned, when a vulnerability or undocumented access has been found on one device, attackers and security researchers scramble to find related vulnerabilities in similar devices. Merely weeks after vulnerabilities were found in the Juniper ScreenOS, another similar vulnerability, CVE-2016-1909, was found in Fortinet’s FortiOS. CVE-2016-1909 is a hardcoded SSH credential with the username Fortimanager_Access and a static string FGTAbc11*xy+Qqz27 hashed as the password.

Impact

FortiOS versions from 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7, or builds between November 2012 and July 2014, include the hardcoded SSH credentials. FortiOS 5.2 and 5.4 are not affected. The Seclists.org Full Disclosure mailing list posted proof of concept code, and some Twitter feeds document exploits as early as January 12, 2016.

The hardcoded credentials give administrative access and may be tied to FortiManager Centralized Security Management due to the lack of event logs.

Fortinet’s blog, Behind the Firewall, posted a Brief Statement Regarding Issues Found with FortiOS, stating, “After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.” The blog identifies the following versions as not affected:

FortiOS v4.3.17 or any later version of FortiOS v4.3 (available as of July 9, 2014)
FortiOS v5.0.8 or any later version of FortiOS v5.0 (available as of July 28, 2014)
Any version of FortiOS v5.2 or v5.4

Note: there have been reports of researchers finding the hardcoded password string in version 5.2.3, suggesting the hashing algorithm to produce the final password may have been altered throughout different versions.

Identification

It is difficult to identify unauthorized access because FortiOS does not create event logs for the Fortimanager_Access user by default. It may be possible to enable logs to include the user Fortimanager_Access by configuring Local-In Policy to include central management (a FortiGate unit being managed by a FortiManager unit). See the Logging Local-In Policies section in the FortiOS Handbook Logging and Reporting for FortiOS.

It may be possible to view SSH attempts in the console. Use “diagnose debug application sshd -1” to identify input_usrauth_requests for the Fortimanager_Access user.

Remediation

FortiGuard Center Advisory post, FortiOS SSH Undocumented Interactive Login Vulnerability, recommends patching FortiOS branch 4.3 to 4.3.17 or later, and FortiOS branch 5.0 to 5.0.8 or later. There are two possible workarounds:

  1. Disable admin access via SSH on all interfaces, and use the Web GUI or console applet of the GUI for CLI access.
  2. Limit SSH access to a minimal set of IP addresses with the Local-In policies.

GuidePoint is recommending whitelisting IP addresses with SSH access to your FortiOS device and patching to the latest build.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.