While the initial report was vague, the infosec community on Reddit and Hacker News has managed to narrow down affected FortiOS versions to the 4.x branch up to 4.3.16, and the 5.x branch up to 5.0.7.

Anyone with "Fortimanager_Access" username and a hashed version of the "FGTAbc11*xy+Qqz27" password string, which is hard coded into the firewall, can login into Fortinet's FortiGate firewall networking equipment. According to the company's product details, this SSH user is created for challenge-and-response authentication routine for logging into Fortinet's servers with the secure shell (SSH) protocol.

Fortinet Ssh Backdoor Proof Of Concept Bsfez


Sysadmin shouldn't expose their firewall SSH port to the Internet but it happens and still this backdoor can be exploited if an attacker gains access to the local network or a virtual LAN by infecting an organization's PC.

If this happens, the attacker can access a Fortinet network security equipment by logging in using the "Fortimanager_Access" username and a hashed version of the "FGTAbc11*xy+Qqz27" string as password. This user may be tied to Fortinet's FortiManager product, advertised by the company as "an easy to use, centralized, 'single pane of glass' management console." As Rik van Duijn noticed, "the FortiGate backdoor gives a variable that is then used to create a base64 string for authentication."

Another explanation for the username/password combo was provided by Evan Anderson: "It's a custom SSH authentication method invoked with a special username, 'Fortimanager_Access.' The protocol is a weak 'challenge/response' using hash of the challenge concatenated with a string (used in multiple firmware versions and not at all unique to the device)."

A Reddit user mentioned that there might be a connection between the backdoor's disappearance and a critical security bug (CVE-2014-2216) that Fortinet fixed back in 2014 (confirmed, see below). The same Reddit user also discovered that anyone using this backdoor account does not appear in the device's access logs. This seems to confirm that the backdoor might be tied to the FortiManager maintenance platform.

"It keeps working even if you disable 'FMG-Access,'" he said after trying to disable the user/FortiManager (still not clear which one he meant). "It won't let you define an admin user with the same name to mitigate it, so make sure that SSH access on your devices is at least restricted to trusted hosts."

Fortinet, on its part, attempted to explain why its products were shipped with hard coded SSH logins. According to the company, its internal team fixed this critical security bug CVE-2014-2216 (mentioned above) in version 5.2.3 back in July 2014, without releasing any advisory.

At first FortiGuard center team issued a short statement suggesting SysAdmin to upgrade FortiOS branch 4.3 and 5.0 as soon as possible as well as giving a quick workarounds:
Disable admin access via SSH on all interfaces, and use the Web GUI instead, or the console applet of the GUI for CLI access.

This information was followed by a brief statement regarding issues found with FortiOS.