Fortinet removed hardcoded SSH keys and database backdoors from FortiSIEM

The vendor Fortinet has finally released security patches to remove the hardcoded SSH keys in Fortinet SIEM appliances.

Fortinet has finally released security updates to remove the hardcoded SSH keys in Fortinet SIEM appliances.

Recently Andrew Klaus, a security specialist from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used by attackers to the FortiSIEM Supervisor. 

The expert discovered that the Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text.

“FortiSIEM has a hardcoded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor.” reads the security advisory. “The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.”

Fortinet published a security advisory for the issue that is tracked as CVE-2019-17659.

The vulnerability could be exploited by attackers to trigger a condition of denial of service. 

“A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.” reads the advisory.

The user ‘tunneluser‘ only runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP.

On January 15, Fortinet released a patch that removed the hardcoded public key in FortiSIEM.

Fortinet urges customers to install the patch for CVE-2019-17659, or restrict the access to FortiSIEM’s “tunneluser” port (19999). Users would upgrade to FortiSIEM version 5.2.7 and above.

Fortinet also addressed another issue in Fortinet’s FortiSIEM, tracked as CVE-2019-16153, that is related to the presence of a hardcoded password in the FortiSIEM database component. The flaw could be exploited by attackers to access the device database via the use of static credentials.

“A hard-coded password vulnerability in the FortiSIEM database component may allow attackers to access the device database via the use of static credentials.” reads the advisory published by Fortinet.

The issue affects FortiSIEM 5.2.5 and below, it could be addressed by upgrade systems to FortiSIEM 5.2.6 or above.

The issue was reported to Fortinet by the independent security researcher Srour Ganoush, “CERT CYBERPROTECT” and “Chris Armstrong from CSCI, Inc.

Pierluigi Paganini

(SecurityAffairs – Fortinet, hacking)

Share On