A hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM can be abused to access the FortiSIEM Supervisor.
The hardcoded SSH key is for the user ‘tunneluser’, is the same between installs and is also stored unencrypted in the FortiSIEM image. As a result, an attacker could retrieve it and use it to sign into the FortiSIEM Supervisor without authentication.
“While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds,” Cybera Inc Security Specialist Andrew Klaus explained.
Tracked as CVE-2019-17659, the vulnerability could lead to denial of service, security solutions provider Fortinet notes in an advisory.
The company also explains that the user ‘tunneluser’ only runs in a restricted shell “that lets only that user create tunnel connections from the supervisor to the originating IP.”
As such, it is possible to enable reverse-shell connections to the IP that initiated the connection. The feature, Fortinet says, is meant to enable connecting to collectors from the supervisor when a firewall exists between collector and the supervisor.
Fortinet advises customers who are not using the reverse tunnel feature to disable SSH on port 19999. The company also provides information on the steps that customers can perform on Supervisor to remove the keys associated with the ‘tunneluser’ account.
Moreover, the security company advises customers to also disable ‘tunneluser’ SSH access on port 22.
According to Klaus, customers should clear out or delete the /home/tunneluser/.ssh/authorized_keys file and also ensure that their nodes are behind firewalls with only trusted access to ports.
The security flaw was disclosed publicly in the beginning of January. It impacts FortiSIEM version 5.2.6 and below and was addressed last week with the release of FortiSIEM version 5.2.7.
Related: Fortinet Acquires SOAR Platform Provider CyberSponse
Related: Fortinet Acquires Endpoint Security Firm enSilo

More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
