Adrian Bridgwater uncovers a cybersecurity version of three card monte in Fortinet on SSH vulnerabilities: look, this really isn’t a backdoor, honest.
Fortinet created an undocumented method to communicate with FortiManager devices. Or in Fortinet’s own security warning:
An undocumented account used for communication with authorized FortiManager devices exists on some versions of FortiOS, FortiAnalyzer, FortiSwitch and FortiCache.
On vulnerable versions, and provided “Administrative Access” is enabled for SSH, this account can be used to log in via SSH in Interactive-Keyboard mode, using a password shared across all devices. It gives access to a CLI console with administrative rights.
In an update to previous attempts at obfuscation, Fortinet says:
As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access.
Even with a generous reading, Fortinet created a “feature” that benefited only Fortinet, did not disclose it to its customers and that “feature” lessened the security of those customers.
If “backdoor” is limited to malicious third parties, perhaps we should call this a “designed security defect” by a manipulative first party.