Following the recent SSH backdoor revelation in its Fortiguard security product, Fortinet says it undertook an additional review of its products.
“During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS”.
“this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. ”
The SSH backdoor account was found in these products:
- FortiAnalyzer: 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
- FortiSwitch: 3.3.0 to 3.3.2
- FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
- FortiOS 4.1.0 to 4.1.10
- FortiOS 4.2.0 to 4.2.15
- FortiOS 4.3.0 to 4.3.16
- FortiOS 5.0.0 to 5.0.7
