It's a custom SSH authentication method invoked with a special username, "Fortimanager_Access". The protocol is a weak "challenge/response" using hash of the challenge concatenated with a string (used in multiple firmware versions and not at all unique to the device).
This is why <a href="http://Pfsense.com" rel="nofollow">http://Pfsense.com</a> should get even more coverage on here than it does. Chris and his team do an incredible job of creating secure open firewall software.
This is why high-assurance security products were/are required to have:<p>1. Clear description of every feature and requirement in system.<p>2. Mathematical spec of those where English ambiguity could effect results.<p>3. High level design with components that map 1-to-1 to those.<p>4. Low-level, simple, modular code mapping to that.<p>5. Source-to-object code verification or ability to generate from source on-site.<p>What people in faux security mocked as mere "paperwork" or "red tape" were actually pre-requisites for defeating subversion my mentally understanding a system from requirements all the way to code. A problem like this would've been impossible in such a system because it would be beyond obvious and <i>probably</i> unjustifiable with requirements tracing.<p>Every story like this further validates the methods that consistently produced systems without all the security problems plaguing modern security products. Situation isnt inevitable or even necessary: merely an inversion of scientific method where security companies and professionals consistently refuse to use what's proven to help and reuse tactics proven to fail. It's gotta stop.<p>That it wont is why I favor liability legislation tied to a reasonable baseline of practices. We can use an inexpensive subset of what worked in highly assured systems. 80/20 rule. Baseline would look more like Secure64 or HYDRA firewall than shit like Fortinet and Juniper. Hackers would <i>work</i> for exploits. I know Im dreaming, though, as DOD and NSA just dropped mandate to EAL1 w/ 90 day review for some stuff. (Rolls eyes).
See relevant thread in r/netsec: <a href="https://www.reddit.com/r/netsec/comments/40lotk/ssh_backdoor_for_fortigate_os_version_4x_up_to/" rel="nofollow">https://www.reddit.com/r/netsec/comments/40lotk/ssh_backdoor...</a><p>> It leaves no traces in any logs (wtf?). It keeps working even if you disable "FMG-Access". It won't let you define an admin user with the same name to mitigate it, so make sure that SSH access on your devices is at least restricted to trusted hosts!
Open hardware and open source. It's our only path. In my opinion the best way for this to happen is to make it part of the government procurement process, that will inject cash into the ecosystem.<p>I really believe this has already begun with the FANG[0] tech giants with Open Hardware initiatives. At some point you can begin pooling your resources to create safe, secure, and fast platforms that everyone can use.<p>[0] facebook, amazon, netflix, google
Another one bites the dust. I'm ready for more though, because it is vindicating my position on FOSS. While FOSS isn't a panacea, at least you can read the code!
Nice, who's next?<p>Maybe it is time we build open hardware and software for important things. Can't trust anyone.<p>Doing audits of open hard and software is a whole other problem however.
These backdoors in the news lately - Juniper and now Fortigate - are scary, but thinking back on 10 years in IT I've never operated in a network where SSH on network equipment was accessible to anyone without intranet access through either physical location or VPN.<p>On top of that I am now in an organization where we're starting to implement security levels on networks, anything above level 0 requires 2FA to access and you can never connect a lower level to a higher level. So best practices are a good thing.
that's a shame but we're used to it these days I guess.<p>if you want to do backdoor probably should do it better, something like port knocking to start with at least.
This script worked for me once I enabled SSH on the lan interface on my FortiGate 100D running 5.0. But the only command that seemed to do anything is "exit". Everything else gave an "Unknown Action 0".
But think of the upside - so many terrorists were probably caught because this code existed. We must fight to ensure all firewalls have back doors or face a true terrorism threat.
Maybe backdoor was a bad way to describe it? Maybe it's used as a customer-initiated support channel for when the customer wants the vendor to access the device.