Fortinet was founded with the goals of providing the best performing security devices on the planet in combination with unmatched value and features. We take our technology and product quality seriously, and, with that in mind, we want to make customers aware of software updates to address vulnerabilities in relation to the Full Disclosure SSH issue posted last week here on the Fortinet blog.
In addition to ISO industry-leading best practices, we follow and comply with regular review processes that include multiple tiers of inspection, internal and third-party audits and automated triggers and tools across the entire development of our source code.
Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products. During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS.
As previously stated, this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access.
In accordance with responsible disclosure, today we have issued a security advisory that provides a software update that eliminates this vulnerability in these products. This update also covers the legacy and end-of-life products listed above. We are actively working with customers and strongly recommend that all customers using the following products update their systems with the highest priority:
Please refer to the Product Security Advisory posted here https://fortiguard.com/psirt/FG-IR-16-001 for further information.
If you have further questions, please reach out to Fortinet at PSIRT@fortinet.com or through your typical Customer Support contacts.