PSIRT Advisory

FortiSIEM default SSH key for the "tunneluser" account is the same across all appliances

Summary

A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or a firmware image.

Note: Restricted user "tunneluser" runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP (i.e. enabling reverse-shell connections to the IP that initiated the connection). This is a feature that exists to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.

Impact

Denial of Service

Affected Products

FortiSIEM version 5.2.6 and below.

Solutions

Please upgrade to FortiSIEM version 5.2.7 and above where this issue is resolved. 

Workaround (for FortiSIEM version 5.2.6 and lower): 

Please follow the steps detailed in the document below: 

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD47776

Acknowledgement

Fortinet is pleased to thank Andrew Klaus for bringing this issue to our attention.