Connect with us

Hi, what are you looking for?


Network Security

Hardcoded SSH Key Found in Fortinet SIEM Appliances

A hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM can be abused to access the FortiSIEM Supervisor. 

A hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM can be abused to access the FortiSIEM Supervisor. 

The hardcoded SSH key is for the user ‘tunneluser’, is the same between installs and is also stored unencrypted in the FortiSIEM image. As a result, an attacker could retrieve it and use it to sign into the FortiSIEM Supervisor without authentication. 

“While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds,” Cybera Inc Security Specialist Andrew Klaus explained

Tracked as CVE-2019-17659, the vulnerability could lead to denial of service, security solutions provider Fortinet notes in an advisory

The company also explains that the user ‘tunneluser’ only runs in a restricted shell “that lets only that user create tunnel connections from the supervisor to the originating IP.”

As such, it is possible to enable reverse-shell connections to the IP that initiated the connection. The feature, Fortinet says, is meant to enable connecting to collectors from the supervisor when a firewall exists between collector and the supervisor.

Fortinet advises customers who are not using the reverse tunnel feature to disable SSH on port 19999. The company also provides information on the steps that customers can perform on Supervisor to remove the keys associated with the ‘tunneluser’ account.

Advertisement. Scroll to continue reading.

Moreover, the security company advises customers to also disable ‘tunneluser’ SSH access on port 22. 

According to Klaus, customers should clear out or delete the /home/tunneluser/.ssh/authorized_keys file and also ensure that their nodes are behind firewalls with only trusted access to ports. 

The security flaw was disclosed publicly in the beginning of January. It impacts FortiSIEM version 5.2.6 and below and was addressed last week with the release of FortiSIEM version 5.2.7. 

Related: Fortinet Acquires SOAR Platform Provider CyberSponse

Related: Fortinet Acquires Endpoint Security Firm enSilo

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...