[FortiSiem] Hardcoded ssh credentials allow access to Supervisor as tunneluser

[FortiSiem] Hardcoded ssh credentials allow access to Supervisor as tunneluser Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-19-296 Final 1 1 2020-01-15T00:00:00 Current version 2020-01-15T00:00:00 2020-01-15T00:00:00 A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or a firmware image.Note: Restricted user "tunneluser" runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP (i.e. enabling reverse-shell connections to the IP that initiated the connection). This is a feature that exists to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor. Improper access control FortiSIEM version 5.2.6 and below. Please upgrade to FortiSIEM version 5.2.7 and above where this issue is resolved. Workaround (for FortiSIEM version 5.2.6 and lower): Customers who are not using the reverse tunnel feature are advised to disable SSH service on port 19999 by following the steps below :1. SSH to the Supervisor node as the root user.2. Remove tunneluser SSH configuration file to disable listening on port 19999:rm -f /etc/ssh/sshd_config.tunneluserecho rm -f /etc/ssh/sshd_config.tunneluser >> /etc/init.d/phProvision.sh3. Then terminate sshd running on TCP Port 19999 as follows:pkill -f /usr/sbin/sshd -p 199994.Additional steps can be performed on Supervisor to remove the keys associated with tunneluser account:rm -f /opt/phoenix/deployment/id_rsa.pub.tunneluserrm -f /home/tunneluser/.ssh/authorized_keysrm -f /opt/phoenix/id_rsa.tunneluser ~admin/.ssh/id_rsaCustomers are also advised to disable "tunneluser" SSH access on port 22 by following the steps bwlow:1. SSH to the Supervisor node as the root user.2. Add/edit the following line in sshd_config file: echo DenyUsers tunneluser >> /etc/ssh/sshd_config3. service sshd restart Fortinet is pleased to thank Andrew Klaus for bringing this issue to our attention. [FortiSiem] Hardcoded ssh credentials allow access to Supervisor as tunneluser CVE-2019-17659 3.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-19-296 [FortiSiem] Hardcoded ssh credentials allow access to Supervisor as tunneluser Reference>