Tag Archives: Fortinet

CERT Releases Threat Advisory On Firewalls

Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.

Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.

What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks.  And probably government networks too.  The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.

The problem here is one that people have been talking about since US Cybercom was created.  That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with.  When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.

The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also.  And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.

The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.

So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.

The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.

The alert makes a couple of very useful suggestions:

  1. Segregate your network.  What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door.  It provides suggestions on how to do that.
  2. Limit “lateral” communications.  What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
  3. Harden network devices.  This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
  4. Secure access to firewalls and switches.
  5. Perform out of band management.  This would stop an attacker from being able to get to certain resources.
  6. Validate the integrity of the hardware and software.

The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.


The CERT advisory can be found here.

A Wired article on the issue can be found here.



When Will They Ever Learn?

As the folk music group Peter, Paul and Mary wrote in 1962 – about a completely different subject – When Will They Ever Learn?  It appears that, for software companies, the answer is a big question mark.

First Juniper got caught with a hard coded back door of unknown origins in their routers and firewalls.  Then Cisco got in trouble for hard coded credentials.  Now it is Fortinet.

The interesting thing is that these three companies are all security vendors.  If they can’t figure it out, is it likely that the rest of the software community has it figured out?

In Fortinet’s case, it wasn’t a back door in the sense of something designed to allow unauthorized people to log in to their firewalls, switches and other devices.  But the effect is the same.  Fortinet makes a central management application that allows a company to manage their Fortinet Security appliances and switches remotely.  That management console needs to exchange information with the devices in order to allow a network administrator to manage all those devices remotely.

Fortinet, of course, wants to make this easy for administrators.  What better way to do that than to hard code a set of credentials (userid and password) between the management console and the devices to be managed.

What could go wrong with that?

Vulnerable products are FortiAnalyzer release 5.0 and 5.2, Fortiswitch 3.3, Forticache 3.0 and FortiOS 4.1, 4.2, 4.3 and 5.0.

Obviously this is a problem for Fortinet customers, but there is a bigger issue here.

If security product vendors are not smart enough to figure out that hard coding credentials, no matter how well intentioned, is a problem, what are millions of other vendors doing?  Likely the same thing.  Or, MUCH WORSE!

And do I think hackers are smart enough to look for those hard coded credentials? Probably.  No, definitely.

The systems that are probably at the biggest risk are those that are remotely managed and/or those that are managed by a third party.  An example of both of these are many point of sale cash register systems, such as some of those that have been hacked in the last few years.  For systems to be managed remotely, especially by third parties, it is a whole lot easier if every system can be access using a single userid and password.

If you have one or more systems (such as a POS or Alarm system), you should ask the vendor about how credentials work and how you can periodically change the password to comply with your company’s security policy.  If the answer is that you can’t change the password, then what you have is a backdoor.  Maybe an authorized one, but still a backdoor.

If you do have a back door, then you need to figure out how to mitigate the risk.  I used to have, many years ago, a high end phone system that could be remote managed, via modem, by the vendor.  I had a simple answer to hackers.  I unplugged the modem unless I was talking to the vendor and they said they needed to remotely access it.  Simple.  But effective.

For more information on the Fortinet problem, read their blog post here.