Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2019-17659
CVE-2019-17659:
FortiSIEM vulnerability analysis and mitigation
Overview
A use of hard-coded cryptographic key vulnerability was discovered in FortiSIEM version 5.2.6 and below. The vulnerability (CVE-2019-17659) allows a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user 'tunneluser' by leveraging knowledge of the private key from another installation or a firmware image. The vulnerability was disclosed on January 15, 2020 (Fortinet PSIRT).
Technical details
The vulnerability stems from a hardcoded SSH public key for the 'tunneluser' account that is identical across all FortiSIEM installations. The unencrypted key is stored inside the FortiSIEM image, making it accessible to attackers. The vulnerability operates on port 19999, separate from the standard SSH port 22. The CVSS v3.1 score for this vulnerability is 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (Fortinet PSIRT, ZDNET).
Impact
While the 'tunneluser' account runs in a restricted shell that only allows creating tunnel connections from the supervisor to the originating IP, the vulnerability could potentially be exploited to bypass firewalls and gain unauthorized access to a company's crucial cyber-security product. If an attacker finds a way to bypass the restricted shell, they would gain access to the company's center of operations (ZDNET, Fortinet PSIRT).
Mitigation and workarounds
Fortinet has released a patch in version 5.2.7 to address this vulnerability. For users unable to upgrade, several workarounds are available: disable SSH service on port 19999, remove the tunneluser SSH configuration file, terminate sshd running on TCP Port 19999, and remove keys associated with the tunneluser account. Additionally, it's recommended to disable 'tunneluser' SSH access on port 22 (Fortinet PSIRT).
Community reactions
The vulnerability received attention from security researchers and media, particularly due to its potential impact on SIEM systems, which are crucial for company's cyber-security defenses. Security researcher Andrew Klaus, who identified the issue, warned about the potential risks if attackers could bypass the restricted shell (ZDNET).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management