Exploit for Fortinet FortiSIEM 5.2.5 / 5.2.6 Hardcoded Key

Name: Exploit for Fortinet FortiSIEM 5.2.5 / 5.2.6 Hardcoded Key
Rating: 5 (171 reviews)
2020-01-07 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:155868
Vendor: Fortinet  
Product: FortiSIEM  
Tested version: 5.2.5, 5.2.6. I haven't confirmed older versions, but there  
is a good chance they're also affected.  
CVE: Fortinet hands out their own CVEs according to Mitre, and since no  
human confirmation was received by Fortinet, no CVE was created yet.  
  
  
== Summary:  
  
FortiSIEM has a hardcoded SSH public key for user "tunneluser" which is the  
same between all installs. An attacker with this key can successfully  
authenticate as this user to the FortiSIEM Supervisor. The unencrypted key  
is also stored inside the FortiSIEM image. While the user's shell is  
limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH  
authentication still succeeds.  
  
  
== Timeline:  
  
Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.  
Dec 3, 2019: Automated reply from PSIRT that email was received.  
Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human  
confirmation.  
Jan 3, 2019: Public Release  
  
No human response was received by Fortinet for over 30 days. I stated that  
if a confirmation was received before January 2nd that they would be given  
an additional 60 days (90 days from initial release) to resolve the  
vulnerability before releasing it publicly. No such response was received,  
so it's now being publicly released.  
  
== Workaround:  
  
Clear out (or delete) the /home/tunneluser/.ssh/authorized_keys file on the  
Supervisor:  
  
supervisor# echo "" > /home/tunneluser/.ssh/authorized_keys  
  
OR  
  
supervisor# rm /home/tunneluser/.ssh/authorized_keys  
  
Also, ensure any of your nodes are behind firewalls with only trusted  
access to ports.  
  
  
== Details:  
  
The FortiSIEM Supervisor has 2 different sshd daemons listening: one is on  
the standard port 22/tcp, and the other on port 19999/tcp):  
  
supervisor# netstat -lnp |grep sshd  
tcp 0 0 0.0.0.0:22 0.0.0.0:*  
LISTEN 38593/sshd  
tcp 0 0 0.0.0.0:19999 0.0.0.0:*  
LISTEN 38615/sshd  
tcp 0 0 :::22 :::*  
LISTEN 38593/sshd  
tcp 0 0 :::19999 :::*  
LISTEN 38615/sshd  
  
The sshd daemon on 19999/tcp uses its own configuration file:  
  
Supervisor# ps aux |grep 38615  
root 38615 0.0 0.0 66288 512 ? Ss Sep25 0:00  
/usr/sbin/sshd -p 19999 -f /etc/ssh/sshd_config.tunneluser  
  
When looking for this user under ssh configuration files, the sshd  
19999/tcp only allows tunneluser to authenticate:  
  
supervisor# grep -R tunneluser /etc/ssh/  
/etc/ssh/sshd_config.tunneluser:AllowUsers tunneluser@*  
/etc/ssh/sshd_config.tunneluser:DenyUsers "!tunneluser@*,*"  
  
Note that there's no DenyUsers tunneluser@* for the standard sshd  
configuration. This means that tunneluser can also successfully  
authenticate over sshd port 22/tcp.  
  
  
The Supervisor has an entry for tunneluser in its passwd file:  
  
supervisor# grep tunneluser /etc/passwd:  
tunneluser:x:501:502::/home/tunneluser:/opt/phoenix/phscripts/bin/tunnelshell  
  
  
The Supervisor allows tunneluser to connect with the following SSH key, and  
forward port 2 to localhost. I've confirmed with other users of FortiSIEM  
that this key is the same for other installs as well. It is not  
auto-generated for each FortiSIEM instance:  
  
supervisor# cat /home/tunneluser/.ssh/authorized_keys  
permitopen="127.0.0.1:2" ssh-rsa  
AAAAB3NzaC1yc2EAAAABIwAAAQEArtFWNhmJqezB0NC5NAbWGZBDWHpGsB+d0+bI46mIJMVyfLhuIa5s5iZF30ehRxu0tTILp40EDe5S9VkdlOymJFvA3dUTlfuhwKvV1hUHXe/5ARTC8AX+1QeZDGnzUKBp/64in6STyaG/1KZj0U1rKUTH42SJWjTrvE/vHqilrcY9SmPx498mPzR8CvlJKYCm1WvweIUoqiVnIqIAQrZqTR+0ea1LksQ6YP4PqpTZpe495bIhk+f2pwPI6PU2q0X61Ae99kqo07whoktb3NdNSI9y/yWJleKdw/FaR0Cj7Ilqg3KyR8evHQoOTHpWiTRAPOpo82qfbx6W0ykrRjo/QQ==  
builder@ao-build  
  
  
The corresponding SSH Private Key is located on all nodes (Supervisor,  
Collector, etc.) under the /opt/phoenix/id_rsa.tunneluser file. Running the  
following command confirms that this key matches that of the public key:  
  
# ssh-keygen -y -f /opt/phoenix/id_rsa.tunneluser  
ssh-rsa  
AAAAB3NzaC1yc2EAAAABIwAAAQEArtFWNhmJqezB0NC5NAbWGZBDWHpGsB+d0+bI46mIJMVyfLhuIa5s5iZF30ehRxu0tTILp40EDe5S9VkdlOymJFvA3dUTlfuhwKvV1hUHXe/5ARTC8AX+1QeZDGnzUKBp/64in6STyaG/1KZj0U1rKUTH42SJWjTrvE/vHqilrcY9SmPx498mPzR8CvlJKYCm1WvweIUoqiVnIqIAQrZqTR+0ea1LksQ6YP4PqpTZpe495bIhk+f2pwPI6PU2q0X61Ae99kqo07whoktb3NdNSI9y/yWJleKdw/FaR0Cj7Ilqg3KyR8evHQoOTHpWiTRAPOpo82qfbx6W0ykrRjo/QQ==  
  
This means that anyone with access to any FortiSIEM image (to copy the SSH  
private key) can authenticate successfully via SSH to the FortiSIEM  
Supervisor on port 19999/tcp as tunneluser. They will be limited to the  
/opt/phoenix/phscripts/bin/tunnelshell script, but if this is bypassed then  
full shell access can be obtained.  
  
iptables and ip6tables are present on the Supervisor. However, they are  
both permissive and accept all traffic destined to them:  
  
supervisor# iptables -L  
Chain INPUT (policy DROP)  
target prot opt source destination  
ACCEPT all -- anywhere anywhere  
...  
  
supervisor bin]# ip6tables -L  
Chain INPUT (policy ACCEPT)  
target prot opt source destination  
...