Reference: CERT-EU Security Advisory 2016-62 UPDATED Version history: 13.01.2016, Security Advisory 2016-45 - FortiOS login vulnerability 25.01.2016, 2016-62 - SSH Login vulnerability on multiple Fortinet products Short Summary -------------- The FortiOS SSH has a login vulnerability. Remote console access to vulnerable devices with "Administrative Access" enabled for S= SH is possible. A Pyhton script was released that can be used to exploit the vulnerability. UPDATE: Also FortiAnalyzer, FortiSwitch, FortiCache have the same vulnerability. New workaround methods have been issued by the manufacturer. [4] CVE reference: - Affected platforms: FortiOS, FortiAnalyzer, FortiSwitch, FortiCache Announcement Date: 2016-January-12 Update Date: 2016-January-20 Security risk: High Vulnerability: Multiple SSH product vulnerability Vendor Status: Notified / Patch available Systems affected ----------------- UPDATE: FortiOS 4.1.0 to 4.1.10 FortiOS 4.2.0 to 4.2.15 FortiOS 4.3.0 to 4.3.16 FortiOS 5.0.0 to 5.0.7 FortiAnalyzer: 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4 FortiSwitch: 3.3.0 to 3.3.2 FortiCache: 3.0.0 to 3.0.7 Impact ------- An attacker can remotely exploit the SSH service of the FortiOS without having privileges. The attacker gains access to the administration functions of the device. Solutions ---------- UPDATE: Upgrade FortiOS to version 4.1.11 or 4.2.16 or 4.3.17 or 5.0.8 or 5.2.0 or 5.4.0 since these versions are not vulnerable. Upgrade FortiAnalyzer to version 5.0.12 or 5.2.5 since these versions are not vulnerable. Upgrade FortiSwitch to version 3.3.3 since this version is not vulnerable. Upgrade FortiCache to version 3.0.8 or br. 3.1 since these versions are not vulnerable. UPDATE: More details on workarounds specific for each product have been released by Fortiguard. According to Fortiguard, as a workaround for the FortiOS, the system administrators could disable admin access via SSH on all interfaces. If SSH access is mandatory, in 5.0 one can restrict access to SSH to a minimal set of authorized IP addresses, via the Local In policies. In FortiAnalyzer access can be limited with granting access to IP addresses with trusthost commands. In FortiSitch disabling admin access through SSH and the console applet of the GUI for CLI is recommended. In FortiCache disabling admin access through SSH and the console applet of the GUI for CLI is recommended. Additional References ----------------------- [1] Fortiguard vulnerability: http://www= .fortiguard.com/advisory/fortios-ssh-undocumented-interactive-login-vulnera= bility [2] Fortiguard Blog: http://blog.fortinet= .com/post/brief-statement-regarding-issues-found-with-fortios [3] SecLists Exploit: http://seclists.org/fulldisclosure/= 2016/Jan/26 [4] Fortiguard update on vulnerability: http://www.f= ortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerabili= ty CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383