Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Firewall)  >   Fortinet FortiGate/FortiOS Vendors:   Fortinet
FortiGate Antivirus Firewall Uses a Common Maintenance Account Password That Yields Root Access to Physically Local Users
SecurityTracker Alert ID:  1014126
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 8 2005
Impact:   Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): FortiOS 2.8
Description:   A vulnerability was reported in the FortiGate Antivirus Firewall. A physically local user can gain administrative access.

The device uses a default root access account. The account username is 'maintainer' and the password is set to the serial number of the device. A physically local user can gain root access to the target device.

Johan Andersson disclosed this vulnerability. Juha-Matti Laurio reported this to us.

Impact:   A physically local user can gain root access on the target device.
Solution:   No solution was available at the time of this entry.

As a workaround, physical access to the console can be restricted.

Vendor URL: (Links to External Site)
Cause:   Configuration error

Message History:   None.

 Source Message Contents

Subject:  Fortinet FortiGate Firewall Weak Default Root Password

- Overview:

> From the vendor:

"The FortiGate Antivirus Firewall supports network-based deployment of 
application-level services, including virus protection and full-scan content 
FortiGate units improve network security, reduce network misuse and abuse, and help 
you use communications resources more efficiently without compromising the 
performance of your network. The FortiGate unit is a dedicated easily managed 
security device that delivers a full suite
of capabilities."

There is a default root access password vulnerability in Fortinet FortiGate Firewall 
device using FortiOS 2.x operating system.

- Original BugTraq mailing list posting on 1st Jun, 2005:
"If you have console access to this box, you are able to get root access or more by 
using the Username: maintainer Password: pbcpbn[here should you type the serialnr. of 
the box, the characters should be in Capital letters.]
FortiOS: 2.x"

Information mentioned was posted to a public security mailing list in June, 2005.
As reported later, this is a documented feature of the FortiGate and FortiLog 

Original disclosure date: 1st Jun 2005

- Details:
The problem is that FortiGate Firewall's default root (administrative) password is 
same as the device's serial number labelled in the device. The default user name was 
published too.

This can lead to an unauthorized access to the device as a root user, if access to 
the affected device is possible.

OS: Fortinet FortiOS 2.x

Remote/Local type: Local

CVE reference: N/A

Vendor Home Page:
Fortinet Inc.

Product Home Page:
FortiGate Antivirus Firewalls

- Solution:
Currently there is no information about solution to this issue.
A local console access is needed to exploit this issue, however. This reduces the 
possibility to exploit this vulnerability.

1) Restrict access to the affected device physically.
2) Make an inventory list about firewall devices and administrative persons in 
3) Confirm that there is no misuse of affected device due to this published issue.

Reported by/Credit: Johan Andersson, Atea Security, Sweden
johan.andersson [at]
Report written and workaround offered by Juha-Matti Laurio, Finland

- References:
(BugTraq posting on 1st Jun, 2005)
(Cybertrion Systems)
(Fortinet Knowledge Center -  FortiOS v2.80)

This report information was provided to security companies and CERT units to help 
them to update their vulnerability databases and to share information about 
increasing IT security in organizations affected devices in use.

Best regards,
Juha-Matti Laurio
IT security researcher

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC