Security expert Andrew Klaus from Cyberra recently found a hardcoded public SSH key which can let hackers access Fortinet SIEM (Security Information and Event Management) supervisor.
According to Andrew – Fortinet devices share the same SSH key for the user “tunneluser” & stored in plain text.
“FortiSIEM has a hardcoded public SSH key for user tunneluser which is the same between all installations. An attacker with this key can successfully access FortiSIEM supervisor” – Seclist | read advisory report
Fortinet published a security advisory for the issue that can be tracked as CVE–2019–17659
The vulnerability can also let the attacker trigger towards a condition of DDOS
The vulnerable user “tunneluser” only runs in a restricted shell which lets the user only create tunnel connections between supervisor & origin IP. Fortinet started a customer call to disable SSH on port 19999 which only allow “tunneluser” to authenticate it is also advised by the company to disable user SSH access on port 22.
The only affected version of the supervisor is V 5.2.6 and below.