FortiSIEM Suffers From Hardcoded SSH Key Vulnerability

• The vulnerability could lead to a denial of service condition.
• Fortinet has fixed the flaw in version 5.2.7 of FortiSIEM.

A security expert discovered a hard coded cryptographic key vulnerability in Fortinet’s Security Information and Event Management (FortiSIEM), which could be exploited by an attacker to get access to FortiSIEM Supervisor.

What happened?

Andrew Klaus, a security professional from Cybera, came across a hardcoded SSH public key in FortiSIEM. The vulnerability is tracked as CVE-2019-17659.

Klaus revealed that a hardcoded SSH key for the user 'tunneluser' was found to be shared across other Fortinet devices, and stored in plain text. As noted in the advisory published by Fortinet, the vulnerability could lead to the denial of service (DDoS).

"A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or a firmware image," read the advisory published by Fortinet.

Restricted user ‘tunneluser‘ runs in a restricted shell and lets only that user create tunnel connections from the supervisor to the originating IP address.

The timeline of the vulnerability

The flaw affects FortiSIEM version 5.2.6 and earlier versions. Below is the timeline of the vulnerability disclosure as per a thread on the Seclists forum.

• Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.
• Dec 3, 2019: Automated reply from PSIRT that email was received.
• Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human confirmation.
• Jan 3, 2019: Public Release.

As per Klaus, no human response was received from Fortinet for over 30 days. However, Fortinet has now addressed the flaw with the release of FortiSIEM version 5.2.7.

Vulnerability workaround

Fortinet directed customers who aren’t using the reverse tunnel feature to disable SSH on port 19999 that only allows tunneluser to authenticate. Fortinet also advised customers to disable tunneluser SSH access on port 22.