====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN038
_____________________________________________________________________

DATE                : 22/01/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiSIEM versions 9, 10,
                                               11.

=====================================================================
https://fortiguard.com/psirt/FG-IR-19-296
_____________________________________________________________________

FortiSIEM default SSH key for the "tunneluser" account is the same
across all appliances

IR Number : FG-IR-19-296

Date      : Jan 15, 2020

Risk      : 2/5

Impact    : Denial of Service

CVE ID    : CVE-2019-17659

CVE ID    : CVE-2019-17659

Summary

A use of hard-coded cryptographic key vulnerability in FortiSIEM may
allow a remote unauthenticated attacker to obtain SSH access to the
supervisor as the restricted user "tunneluser" by leveraging knowledge
of the private key from another installation or a firmware image.

Note: Restricted user "tunneluser" runs in a restricted shell that lets
only that user create tunnel connections from the supervisor to the
originating IP (i.e. enabling reverse-shell connections to the IP that
initiated the connection). This is a feature that exists to enable
connecting to collectors from the supervisor when there is a firewall
between the collector and the supervisor.


Impact

Denial of Service


Affected Products

FortiSIEM version 5.2.6 and below.


Solutions

Please upgrade to FortiSIEM version 5.2.7 and above where this issue is
resolved.


Workaround (for FortiSIEM version 5.2.6 and lower):

Customers who are not using the reverse tunnel feature are advised to
disable SSH service on port 19999 by following the steps below :


1. SSH to the Supervisor node as the root user.

2. Remove tunneluser SSH configuration file to disable listening on port
19999:

rm -f /etc/ssh/sshd_config.tunneluser

echo rm -f /etc/ssh/sshd_config.tunneluser >> /etc/init.d/phProvision.sh

3. Then terminate sshd running on TCP Port 19999 as follows:

pkill -f /usr/sbin/sshd -p 19999

4.Additional steps can be performed on Supervisor to remove the keys
associated with tunneluser account:

rm -f /opt/phoenix/deployment/id_rsa.pub.tunneluser

rm -f /home/tunneluser/.ssh/authorized_keys

rm -f /opt/phoenix/id_rsa.tunneluser ~admin/.ssh/id_rsa


Customers are also advised to disable "tunneluser" SSH access on port 22
by following the steps bwlow:


1. SSH to the Supervisor node as the root user.

2. Add/edit the following line in sshd_config file:

echo DenyUsers tunneluser >> /etc/ssh/sshd_config

3. service sshd restart



Acknowledgement

Fortinet is pleased to thank Andrew Klaus for bringing this issue to our

attention.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================