PSIRT Advisory

FortiBalancer Remote SSH Vulnerability

Description

A platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect.

Impact

Remote Access

Affected Products

FortiBalancer 400, 1000, 2000 and 3000.
All software versions are affected.

Solutions

Apply the patch provided on the Fortinet Support site, or use one of the workarounds shown below. The patch and supporting documentation are available in the FortiBalancer firmware download directory, accessible from https://support.fortinet.com. The following files are available:
FortiBalancer-Component-Patch.pdf - Installation Instructions
FBLOS-FortiBalancer-Patch-2014_02.fn - System patch
Other Workarounds:
1. Disable SSH on the Web UI via Admin Tools -> System Management. Uncheck "enable SSH access" and click "save changes" on the top right.
2. Disable SSH in the console via:
config t
ssh off
write memory
exit
3. Use Webwall rules in order to block TCP port 22 destined to the load balancer external IP address:
config t
accesslist deny tcp 0.0.0.0 0.0.0.0 0 <external-ip-address> 255.255.255.255 22 100
accesslist permit tcp 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 100
accessgroup 100 <external-port>
webwall <external-port> on
write memory
exit
4. Use a firewall to block TCP port 22 access to the FortiBalancer.