FortiSIEM default SSH key vulnerability

A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.

Note: Restricted user “tunneluser” runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP (i.e. enabling reverse-shell connections to the IP that initiated the connection). This is a feature that exists to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.

Affected Products

FortiSIEM version 5.2.6 and below.

Solutions

Please upgrade to FortiSIEM version 5.2.7 and above where this issue is resolved. 

Workaround (for FortiSIEM version 5.2.6 and lower): 

Customers who are not using the reverse tunnel feature are advised to disable SSH service on port 19999  by following the steps below :

1. SSH to the Supervisor node as the root user.

2. Remove tunneluser SSH configuration file to disable listening on port 19999:

rm -f /etc/ssh/sshd_config.tunneluser

echo rm -f /etc/ssh/sshd_config.tunneluser >> /etc/init.d/phProvision.sh

3. Then terminate sshd running on TCP Port 19999 as follows:

pkill -f /usr/sbin/sshd -p 19999

4.Additional steps can be performed on Supervisor to remove the keys associated with tunneluser account:

rm -f /opt/phoenix/deployment/id_rsa.pub.tunneluser

rm -f /home/tunneluser/.ssh/authorized_keys

rm -f /opt/phoenix/id_rsa.tunneluser ~admin/.ssh/id_rsa

Customers are also advised to disable “tunneluser” SSH access on port 22 by following the steps below:

1. SSH to the Supervisor node as the root user.

2. Add/edit the following line in sshd_config file: 

echo DenyUsers tunneluser >>  /etc/ssh/sshd_config

3. service sshd restart