| |
HB1PMS > TECH 21.01.20 15:03l 77 Lines 3421 Bytes #999 (0) @ WW
BID : 5644HB1PMS
Read: GAST
Subj: FortiSIEM Suffers From Hardcoded SSH Key Vulnerabi
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200121/1224Z 5379@HB1BBS.ZL.NLD.EU BPQ6.0.19
Message from: HB1PMS@HB1BBS
FortiSIEM Suffers From Hardcoded SSH Key Vulnerability
January 21, 2020 | Malware and Vulnerabilities
breach,data,identity,theft,broken,computer,lock,vulnerability,alert,antiviru
s,board,circuit,code,confidential,crime,cybercrime,decryption,defense,digita
l,firewall,hack,hacked,hacker,internet,log,monitor,network,open,padlock,pass
word,privacy,protect,protection,safe,searching,secrecy,secure,security,shiel
ding,software,spy,spyware,stealing,surveillance,technology,thief,threat,unlo
ck,unsecured,virus
The vulnerability could lead to a denial of service condition.
Fortinet has fixed the flaw in version 5.2.7 of FortiSIEM.
A security expert discovered a hard coded cryptographic key vulnerability in
Fortinet’s Security Information and Event Management (FortiSIEM), which
could be exploited by an attacker to get access to FortiSIEM Supervisor.
What happened?
Andrew Klaus, a security professional from Cybera, came across a hardcoded
SSH public key in FortiSIEM. The vulnerability is tracked as CVE-2019-17659.
Klaus revealed that a hardcoded SSH key for the user 'tunneluser' was found
to be shared across other Fortinet devices, and stored in plain text. As
noted in the advisory published by Fortinet, the vulnerability could lead to
the denial of service (DDoS).
"A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow
a remote unauthenticated attacker to obtain SSH access to the supervisor as
the restricted user "tunneluser" by leveraging knowledge of the private key
from another installation or a firmware image," read the advisory published
by Fortinet.
Restricted user ‘tunneluser‘ runs in a restricted shell and lets only that
user create tunnel connections from the supervisor to the originating IP
address.
The timeline of the vulnerability
The flaw affects FortiSIEM version 5.2.6 and earlier versions. Below is the
timeline of the vulnerability disclosure as per a thread on the Seclists
forum.
Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.
Dec 3, 2019: Automated reply from PSIRT that email was received.
Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human
confirmation.
Jan 3, 2019: Public Release.
As per Klaus, no human response was received from Fortinet for over 30 days.
However, Fortinet has now addressed the flaw with the release of FortiSIEM
version 5.2.7.
Vulnerability workaround
Fortinet directed customers who aren’t using the reverse tunnel feature to
disable SSH on port 19999 that only allows tunneluser to authenticate.
Fortinet also advised customers to disable tunneluser SSH access on port 22.
73 Henk. HB1PMS
=====================================================================
_ _ ____ __ ____ ____ _____
| | | | _ \/_ | _ \| _ \ / ____| SYS: Henk (hb1nos@hb1bbs.com)
| |__| | |_) || | |_) | |_) | (___ QTH: Ouwerkerk - JO11XO
| __ | _ < | | _ <| _ < \___ \ BBS: HB1BBS.ZL.NLD.EU
| | | | |_) || | |_) | |_) |____) | QRV: 27.235 MHz (FM 1200bps)
|_| |_|____/ |_|____/|____/|_____/ WEB: www.hb1bbs.com
=====================================================================
(Message sent with Sally 7.2.035)
---------------------------------------------------------------------
Timed Tuesday 11 January 2005 16:26 gmt
BBS HB1PMS@HB1BBS
---------------------------------------------------------------------
Lese vorherige Mail | Lese naechste Mail
| |