Security researcher found a hardcoded SSH Key in Fortinet SIEM appliances
Security researcher Andrew Klaus, from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used in order to generate a denial of service against the FortiSIEM Supervisor.
Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text [1]:
FortiSIEM has a hardcoded SSH public key for user "tunneluser" which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor. The unencrypted key is also stored inside the FortiSIEM image. While the user's shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.
Researcher notified the issue to Fortinet, that published a security advisory [2] and tracked the vulnerability as CVE-2019-17659.
Both Klaus and Fortinet published a simple workaround for the issue:
Clear out (or delete) the /home/tunneluser/.ssh/authorized_keys file on the Supervisor: supervisor# echo "" > /home/tunneluser/.ssh/authorized_keys OR supervisor# rm /home/tunneluser/.ssh/authorized_keys Also, ensure any of your nodes are behind firewalls with only trusted access to ports.
Obviously, the best solution is "upgrade to FortiSIEM version 5.2.7 and above", according with Fortined advisory.