Fortinet SSH key Can Allow Access To FortiSIEM Supervisor

Security expert Andrew Klaus from Cyberra recently found a hardcoded public SSH key which can let hackers access Fortinet SIEM (Security Information and Event Management) supervisor.

According to Andrew – Fortinet devices share the same SSH key for the user “tunneluser” & stored in plain text.

“FortiSIEM has a hardcoded public SSH key for user tunneluser which is the same between all installations. An attacker with this key can successfully access FortiSIEM supervisor” – Seclist | read advisory report

Fortinet published a security advisory for the issue that can be tracked as CVE201917659

The vulnerability can also let the attacker trigger towards a condition of DDOS

The vulnerable user “tunneluser” only runs in a restricted shell which lets the user only create tunnel connections between supervisor & origin IP. Fortinet started a customer call to disable SSH on port 19999 which only allow “tunneluser” to authenticate it is also advised by the company to disable user SSH access on port 22.

The only affected version of the supervisor is V 5.2.6 and below.

Leave a Reply

Your email address will not be published.