FortiSIEM Suffers From Hardcoded SSH Key Vulnerability


The vulnerability could lead to a denial of service condition.
Fortinet has fixed the flaw in version 5.2.7 of FortiSIEM.

A security expert discovered a hard coded cryptographic key vulnerability in Fortinet’s Security Information and Event Management (FortiSIEM), which could be exploited by an attacker to get access to FortiSIEM Supervisor.


What happened?


Andrew Klaus, a security professional from Cybera, came across a hardcoded SSH public key in FortiSIEM. The vulnerability is tracked as CVE-2019-17659.


Klaus revealed that a hardcoded SSH key for the user 'tunneluser' was found to be shared across other Fortinet devices, and stored in plain text. As noted in the advisory published by Fortinet, the vulnerability could lead to the denial of service (DDoS).


"A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or a firmware image," read the advisory published by Fortinet.


Restricted user ‘tunneluser‘ runs in a restricted shell and lets only that user create tunnel connections from the supervisor to the originating IP address.


The timeline of the vulnerability


The flaw affects FortiSIEM version 5.2.6 and earlier versions. Below is the timeline of the vulnerability disclosure as per a thread on the Seclists forum.


Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.
Dec 3, 2019: Automated reply from PSIRT that email was received.
Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human confirmation.
Jan 3, 2019: Public Release.

As per Klaus, no human response was received from Fortinet for ov ..

Support the originator by clicking the read the rest link below.