UPDATED - A vulnerability in Fortinet FortiOS Could Allow Unauthorized Remote Access

ITS Advisory Number: 
2016-011
Date(s) Issued: 
Friday, January 15, 2016
Date Updated: 
Tuesday, January 26, 2016
Subject: 
A vulnerability in Fortinet FortiOS Could Allow Unauthorized Remote Access
Overview: 

A vulnerability has been discovered in Fortinet FortiOS that could allow unauthorized remote administrative access to the device if the device has "Administrative Access" enabled for SSH. FortiOS is the operating system used by FortiGate network security platforms. Successful exploitation could lead to remote administrative access of an impacted FortiOS device. 

Systems Affected: 

ORIGINAL SYSTEMS AFFECTED

  • FortiOS versions 4.3.0 to 4.3.16

  • FortiOS versions 5.0.0 to 5.0.7

January 26 UPDATED SYSTEMS AFFECTED

  • FortiAnalyzer: 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
  • FortiSwitch: 3.3.0 to 3.3.2
  • FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
  • FortiOS 4.1.0 to 4.1.10
  • FortiOS 4.2.0 to 4.2.15
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability has been discovered in Fortinet FortiOS that could allow unauthorized, remote administrative access to the device if the device has "Administrative Access" enabled for SSH. Successful exploitation could lead to remote administrative access of an impacted FortiOS device.

The vulnerability identified could lead to remote administrative access via SSH of a FortiOS device, resulting in the complete compromise of the impacted system. A hard-coded password exists in the firewall software that would allow a remote attacker to login with full administrative access to the device by using the "Fortimanager_Access" username and a hashed version of the string "FGTAbc11*xy+Qqz27" as the password.

Actions: 
  • Apply appropriate patches provided by Fortinet to vulnerable systems immediately after appropriate testing. 

  • Disable administrator access over SSH on all the network interfaces of the device and use the Web GUI or console applet for the GUI instead.

  • In cases where SSH access is necessary in FortiOS 5.x versions, restrict SSH access to minimal set of pre-authorized IP addresses.