Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.
“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.
“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”
In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.
A rose by any other name!