Security researcher found a hardcoded SSH Key in Fortinet SIEM appliances

Security researcher Andrew Klaus, from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used in order to generate a denial of service against the FortiSIEM Supervisor.

Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text [1]:

FortiSIEM has a hardcoded SSH public key for user "tunneluser" which is the
same between all installs. An attacker with this key can successfully
authenticate as this user to the FortiSIEM Supervisor. The unencrypted key
is also stored inside the FortiSIEM image. While the user's shell is
limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH
authentication still succeeds.

Researcher notified the issue to Fortinet, that published a security advisory [2] and tracked the vulnerability as CVE-2019-17659.

Both Klaus and Fortinet published a simple workaround for the issue:

Clear out (or delete) the /home/tunneluser/.ssh/authorized_keys file on the
Supervisor:

supervisor# echo "" > /home/tunneluser/.ssh/authorized_keys

OR

supervisor# rm /home/tunneluser/.ssh/authorized_keys

Also, ensure any of your nodes are behind firewalls with only trusted
access to ports.

Obviously, the best solution is “upgrade to FortiSIEM version 5.2.7 and above”, according with Fortined advisory.


References

  1. https://seclists.org/fulldisclosure/2020/Jan/10
  2. FortiSIEM default SSH key for the “tunneluser” account is the same across all appliances

Related posts

  1. SweynTooth: Bluetooth vulnerabilities expose many BLE devices to attacks
  2. CVE-2019-18426: WhatsApp bug allowed remote access to users computers with just a text message
  3. CVE-2019-19781: my clippings on the infamous Citrix Netscaler vulnerability
  4. Android flaw allows attackers to permanently freeze your device
  5. BlackDirect: a vulnerability in Microsoft OAuth 2.0 may allows attackers to takeover Microsoft and Azure Accounts