PSIRT[FortiSiem] Hardcoded ssh credentials allow access to Supervisor as tunneluser
Summary
A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or a firmware image.
Note: Restricted user "tunneluser" runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP (i.e. enabling reverse-shell connections to the IP that initiated the connection). This is a feature that exists to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.
Affected Products
FortiSIEM version 5.2.6 and below.
Solutions
Please upgrade to FortiSIEM version 5.2.7 and above where this issue is resolved.
Workaround (for FortiSIEM version 5.2.6 and lower):
Customers who are not using the reverse tunnel feature are advised to disable SSH service on port 19999 by following the steps below :
1. SSH to the Supervisor node as the root user.
2. Remove tunneluser SSH configuration file to disable listening on port 19999:
rm -f /etc/ssh/sshd_config.tunneluser
echo rm -f /etc/ssh/sshd_config.tunneluser >> /etc/init.d/phProvision.sh
3. Then terminate sshd running on TCP Port 19999 as follows:
pkill -f /usr/sbin/sshd -p 19999
4.Additional steps can be performed on Supervisor to remove the keys associated with tunneluser account:
rm -f /opt/phoenix/deployment/id_rsa.pub.tunneluser
rm -f /home/tunneluser/.ssh/authorized_keys
rm -f /opt/phoenix/id_rsa.tunneluser ~admin/.ssh/id_rsa
Customers are also advised to disable "tunneluser" SSH access on port 22 by following the steps bwlow:
1. SSH to the Supervisor node as the root user.
2. Add/edit the following line in sshd_config file:
echo DenyUsers tunneluser >> /etc/ssh/sshd_config
3. service sshd restart
Acknowledgement
Fortinet is pleased to thank Andrew Klaus for bringing this issue to our attention.