As the folk music group Peter, Paul and Mary wrote in 1962 – about a completely different subject – When Will They Ever Learn? It appears that, for software companies, the answer is a big question mark.
First Juniper got caught with a hard coded back door of unknown origins in their routers and firewalls. Then Cisco got in trouble for hard coded credentials. Now it is Fortinet.
The interesting thing is that these three companies are all security vendors. If they can’t figure it out, is it likely that the rest of the software community has it figured out?
In Fortinet’s case, it wasn’t a back door in the sense of something designed to allow unauthorized people to log in to their firewalls, switches and other devices. But the effect is the same. Fortinet makes a central management application that allows a company to manage their Fortinet Security appliances and switches remotely. That management console needs to exchange information with the devices in order to allow a network administrator to manage all those devices remotely.
Fortinet, of course, wants to make this easy for administrators. What better way to do that than to hard code a set of credentials (userid and password) between the management console and the devices to be managed.
What could go wrong with that?
Vulnerable products are FortiAnalyzer release 5.0 and 5.2, Fortiswitch 3.3, Forticache 3.0 and FortiOS 4.1, 4.2, 4.3 and 5.0.
Obviously this is a problem for Fortinet customers, but there is a bigger issue here.
If security product vendors are not smart enough to figure out that hard coding credentials, no matter how well intentioned, is a problem, what are millions of other vendors doing? Likely the same thing. Or, MUCH WORSE!
And do I think hackers are smart enough to look for those hard coded credentials? Probably. No, definitely.
The systems that are probably at the biggest risk are those that are remotely managed and/or those that are managed by a third party. An example of both of these are many point of sale cash register systems, such as some of those that have been hacked in the last few years. For systems to be managed remotely, especially by third parties, it is a whole lot easier if every system can be access using a single userid and password.
If you have one or more systems (such as a POS or Alarm system), you should ask the vendor about how credentials work and how you can periodically change the password to comply with your company’s security policy. If the answer is that you can’t change the password, then what you have is a backdoor. Maybe an authorized one, but still a backdoor.
If you do have a back door, then you need to figure out how to mitigate the risk. I used to have, many years ago, a high end phone system that could be remote managed, via modem, by the vendor. I had a simple answer to hackers. I unplugged the modem unless I was talking to the vendor and they said they needed to remotely access it. Simple. But effective.
For more information on the Fortinet problem, read their blog post here.