CVE-2019-17659: 
FortiSIEM Schwachstellenanalyse und -minderung

A use of hard-coded cryptographic key vulnerability was discovered in FortiSIEM version 5.2.6 and below. The vulnerability (CVE-2019-17659) allows a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user 'tunneluser' by leveraging knowledge of the private key from another installation or a firmware image. The vulnerability was disclosed on January 15, 2020 (Fortinet PSIRT).

The vulnerability stems from a hardcoded SSH public key for the 'tunneluser' account that is identical across all FortiSIEM installations. The unencrypted key is stored inside the FortiSIEM image, making it accessible to attackers. The vulnerability operates on port 19999, separate from the standard SSH port 22. The CVSS v3.1 score for this vulnerability is 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (Fortinet PSIRT, ZDNET).

While the 'tunneluser' account runs in a restricted shell that only allows creating tunnel connections from the supervisor to the originating IP, the vulnerability could potentially be exploited to bypass firewalls and gain unauthorized access to a company's crucial cyber-security product. If an attacker finds a way to bypass the restricted shell, they would gain access to the company's center of operations (ZDNET, Fortinet PSIRT).

Fortinet has released a patch in version 5.2.7 to address this vulnerability. For users unable to upgrade, several workarounds are available: disable SSH service on port 19999, remove the tunneluser SSH configuration file, terminate sshd running on TCP Port 19999, and remove keys associated with the tunneluser account. Additionally, it's recommended to disable 'tunneluser' SSH access on port 22 (Fortinet PSIRT).

The vulnerability received attention from security researchers and media, particularly due to its potential impact on SIEM systems, which are crucial for company's cyber-security defenses. Security researcher Andrew Klaus, who identified the issue, warned about the potential risks if attackers could bypass the restricted shell (ZDNET).