Last month, a significant finding in Fortinet devices was discovered and published. When I say significant, I mean, it’s huge – Multiple Products SSH Undocumented Login Vulnerability. In other words, there’s a username/password combination that works on all devices running the affected firmware versions. If you are still running an affected version, you NEED to upgrade now! This is bad in so many ways, especially following similar issues with Juniper and everything we’ve seen from Snowden’s data dumps. Fortinet responded by saying ‘This was not a “backdoor” vulnerability issue but rather a management authentication issue.’
Is that right? What is a “backdoor” and what is “management authentication”? Is there an actual difference between the two, or is just a vendor trying to save their butt? I got into a discussion about that on twitter:
@rnelson0 @discoposse @mdowd I am not sure I understand? Are you saying to qualify as a backdoor it must be robust to system changes?
— Ethan Heilman (@Ethan_Heilman) January 12, 2016
Ethan challenged me to think about the terminology and I think I’ve come around a bit. Here’s what I now believe the two terms mean.
- Management Authentication: A login available for tech support. The user/password should vary between devices, maybe predicated on a serial number or some other attribute. A key attribute is that the device owner has control of whether or not the login is enabled.
- Backdoor: Any sort of authentication mechanism to a system in which the owner has no control over whether or not it’s enabled.
I would originally have said that a vendor purposefully providing a backdoor, even if it were varied between devices, was a management authentication system. But that’s legacy speaking. I remember calling Novell for support with Netware when we were locked out and having a recovery path. In 1999, that was somewhat acceptable. Users weren’t as savvy, hacks weren’t as automated, and systems weren’t as connected. Regardless, it was still a backdoor, it was just more convenient and less likely to backfire.
I’ll add a third category using some more modern terminology:
- Advanced Persistent Backdoor: Similar to a backdoor, but purposefully malicious. Attempts to deactivate or mitigate the backdoor (i.e. disabling ssh) will not be allowed and the backdoor will ignore the settings or return in some other way.
I’d like to thank Ethan for the assistance in challenging my preconceptions and evolving my understanding.