Fortinet removes SSH and database backdoors from its SIEM product

Patches have been released for CVE-2019-17659 and CVE-2019-16153.

Fortinet

Image: Fortinet, ZDNet

Fortinet has released patches this month to remove two backdoor accounts from FortiSIEM, the company's SIEM product.

SIEM stands for Security Information and Event Management (SIEM) and is a type of software used by cyber-security teams.

SIEM software can be a cloud-based system or a locally-running server. FortiSIEM, and SIEM products as a whole, work by aggregating data points from different sources, such as operating systems, applications, antivirus, database, and server logs. The role of a SIEM product is collect and analyze these vast swaths of data points for abnormalities or known indicators of a security breach -- and then alert a company's security team.

Due to the sensitive nature of the data processed by a SIEM product and its central role in a company's cyber-security defenses, any backdoor mechanism in these systems is considered a dangerous and highly critical vulnerability.

Any threat actor who gains access to a SIEM product can use it to carry out reconnaissance on a target's internal network, and later delete signs of a successful compromise.

SSH backdoor

On January 15, Fortinet released a patch for FortiSIEM which removed a backdoor in the SIEM's SSH connection feature.

"FortiSIEM has a hardcoded SSH public key for user 'tunneluser' which is the same between all installs," said Andrew Klaus, the security researcher who identified this issue.

"An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor. The unencrypted key is also stored inside the FortiSIEM image," he said.

Besides the availability of a patch, the only good thing is that this SSH user has access to a restricted shell is normally used by hosts to send data back to the FortiSIEM Supervisor (the data collection server), and as a result, has access to very few features.

The bad news is that the "tunneluser" SSH account is commonly used to bypass firewalls and send telemetry and log data back to a FortiSIEM server across the internet -- meaning FortiSIEM is vulnerable to remote unauthorized access thanks to the feature's design.

The hardcoded SSH key, even if it grants access to a limited SSH shell/account, still gives an attacker access to a company's crucial cyber-security product, a place where attackers should get access, even via limited accounts.

Klaus warns that if an attacker finds a way to bypass this restricted shell, they would be sitting right inside a company's center of operations.

Companies are advised to install Fortinet's patch for CVE-2019-17659, or restrict access to FortiSIEM's "tunneluser" port -- which works on port 19999, separate from the standard SSH port 22.

Companies that run FortiSIEM products are also advised to investigate their servers for unauthorized access. Due to an email server issue, there was a miscommunication between Fortinet and Klaus, and the researcher published details about this vulnerability on the internet on January 3, twelve days before Fortinet released a patch -- meaning some attacks might have occurred.

The database backdoor

But there is also a second backdoor-like mechanism in Fortinet's FortiSIEM. On January 12, Fortinet also patched CVE-2019-16153.

This patch removes a hardcoded password from the FortiSIEM database component that could allow attackers to access the device database via the use of static credentials.

Yet, to exploit this issue, an attacker first needs access to a company's internal network.

None of these two backdoor issues are, however, as severe as the ones discovered in the FortiGate OS back in early 2016, which impacted most of the company's networking equipment.