Security researcher Andrew Klaus, from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used in order to generate a denial of service against the FortiSIEM Supervisor.



Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text [1]:

FortiSIEM has a hardcoded SSH public key for user "tunneluser" which is the
same between all installs. An attacker with this key can successfully
authenticate as this user to the FortiSIEM Supervisor. The unencrypted key
is also stored inside the FortiSIEM image. While the user's shell is
limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH
authentication still succeeds.

Researcher notified the issue to Fortinet, that published a security advisory [2] and tracked the vulnerability as CVE-2019-17659.

Both Klaus and Fortinet published a simple workaround for the issue:

Clear out (or delete) the /home/tunneluser/.ssh/authorized_keys file on the
Supervisor:

supervisor# echo "" > /home/tunneluser/.ssh/authorized_keys

OR

supervisor# rm /home/tunneluser/.ssh/authorized_keys

Also, ensure any of your nodes are behind firewalls with only trusted
access to ports.

Obviously, the best solution is "upgrade to FortiSIEM version 5.2.7 and above", according with Fortined advisory.


References

  1. https://seclists.org/fulldisclosure/2020/Jan/10
  2. FortiSIEM default SSH key for the "tunneluser" account is the same across all appliances