Brief Statement Regarding Issues Found with FortiOS
The recent issue that was disclosed publicly was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase. This was not a “backdoor” vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts.
After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.
If you are using:
FortiOS v4.3.17 or any later version of FortiOS v4.3 (available as of July 9, 2014)
FortiOS v5.0.8 or any later version of FortiOS v5.0 (available as of July 28, 2014)
Any version of FortiOS v5.2 or v5.4
You are not affected by this.
If you are affected by this, Fortinet recommends you immediately update your FortiOS product.
Please refer to the Product Security Advisory posted here http://www.fortiguard.com/advisory/fortios-ssh-undocumented-interactive-login-vulnerability for further information.
Any additional information will be made available if warranted.
Fortinet, through its Product Security team, is committed to reasonable and responsible disclosure of all vulnerabilities and security issues in its products. Fortinet encourages any and all reporters of vulnerability issues to work with Fortinet in a responsible fashion to ensure the security of our products and our customers. Anyone who wishes to report a security issue to Fortinet is encouraged to contact us through the details located at www.fortiguard.com/psirt .
UPDATE: for more information please see our additional blog here http://ftnt.net/1nyzn5f