Malicious software developers love a good hacking opportunity, this much is already known — they are even happier when they find a “coder’s backdoor” left open for what would usually be two reasons.
Reasons for a backdoor experience
Reason #1 — Access for ‘management control’ issues by the vendor who produces the firewall technology in the first place.
Reason #2 — It is alleged by some sources that certain security authorities may (from time to time) look to gain access through firewall layers and so build backdoors into the original code base makes sense.
An example being played out
Recent reports have detailed news of cyber-security solutions firm Fortinet and its confirmed vulnerabilities that have surfaced across its product line.
The firewall and network security company has been open about the technical details of recent events — but Fortinet has refuted claims that an interactive login vulnerability affecting older versions of FortiOS could have been a backdoor for hackers to gain remote console access to vulnerable devices.
The access in question would enable remote console access to vulnerable devices with “Administrative Access” enabled for secure shell (SSH).
What the industry thinks
Steve Ward is senior partner at isight Partners, a vendor-neutral threat intel consultancy.
“We believe exploitation of this flaw in FortiAnalyzer, FortiSwitch and FortiCache poses a low to moderate threat, though exploit code is publicly available and current versions of these products are vulnerable, which was not the case with FortiOS,” said Ward.
“Fortinet’s most recent disclosure appears to be the result of the company’s due diligence in identifying all products impacted by the security flaw, whereas the original disclosure was focused only on the known vulnerability in FortiOS,” he added.
Kevin Bocek, vice president security strategy & threat intelligence at Venafi comments that the problem we have is that SSH just isn’t figuring on enterprises agenda – CIOs and CISOs just aren’t thinking about it, and they certainly aren’t protecting it.
“This is a problem, and issues such as this Fortinet admission really highlight that gap. According to Ponemon Institute, more than 50% of organizations do not have centralized Secure Shell (SSH) key security. 74% do not enforce SSH security policies at all, or rely on a documented manual process. Moreover, 51% of organisations surveyed have been compromised in the last 2 years as a result of SSH key misuse. This means that most customers will have no way of assessing their level of risk or changing out SSH keys,” he said.
Bocek concludes, “Anytime you get admin access is a big issue, particularly with SSH as it allows systems administrators to have elevated privileges, bypassing authentication mechanisms on the host. By using a stolen SSH private key, an adversary can gain rogue root access to an enterprise network, bypassing all the security controls put in place. Because organisations have no SSH security policies, SSH oversight, or ability to respond to an SSH-based attack, cyber-criminals are using SSH as an attack vector at an ever-increasing rate. This is why the Fortinet issue is such a problem – essentially, hackers could gain access to all the vulnerable Fortinet systems with the same password. This vulnerability shows it’s just not a patching issue – SSH is a huge vulnerability with no visibility and protection: who has access, when, to where, and how? Organizations can’t accept this hole in their cybersecurity foundation. They need to first get visibility in to SSH use and access, and then enforce their policies. ”
Creedence Clearwater Revival – Lookin’ Out My Back Door