[German]The security vendor Fortinet has released patches that fix the vulnerabilities CVE-2019-17659 and CVE-2019-16153 in their own SIEM product FortiSIEM. The patches are each intended to close a backdoor in SSH and in the product’s database that has been torn open by bugs.
I became aware of this issue via the following tweet from Catalin Cimpanu that I read last night.
— Catalin Cimpanu (@campuscodi) January 27, 2020
Only for classification for blog readers who are not in the topic. SIEM is the abbreviation for Security Information and Event Management, actually a meaningful thing. The linked Wikipedia writes: SIEM combines the two concepts Security Information Management (SIM) and Security Event Management (SEM) for real-time analysis of security alarms from applications and network components. SIEM thus serves the computer security of an organization and is a software product that can be installed centrally or used as a cloud service. It is only stupid if a SIEM product itself has weaknesses that make it vulnerable to attack.
CVE-2019-17659 and CVE-2019-16153 in FortiSIEM
The vulnerabilities CVE-2019-17659 and CVE-2019-16153 are issues that compromise the security of the FortiSIEM solution.
SSH vulnerability CVE-2019-17659
On 15 January 2020 Fortinet published the security advisory FortiSIEM default SSH key for the “tunneluser” account is the same across all appliances. FortiSIEM is vulnerable to Denial of Service attacks until version 5.2.6. The use of a hard-coded cryptographic key in FortiSIEM virtually creates a backdoor and may allow a remote, unauthenticated attacker to gain SSH access to the supervisor as a “tunnel user” of a restricted user. The attacker can use knowledge of the private key from another installation or a firmware image to do this.
Fortinet advises users to upgrade to FortiSIEM version 5.2.7 and above as this issue is resolved there. For users of FortiSIEM version 5.2.6 and below, the vendor has published a workaround in the security advisory linked above, which shows how to secure these versions against such an attack.
Companies using FortiSIEM products should additionally scan their servers for unauthorized access. Because there was a problem in the email communication between Fortinet and the discovering security researcher Klaus, as ZDNet writes here. The researcher released details of the vulnerability on January 3, 2020, twelve days before Fortinet released a patch. This could have led to attacks.
Data base vulnerability CVE-2019-16153
There is a second vulnerability, CVE-2019-16153, in the database used by FortiSIEM that can also be exploited like a backdoor. Therefore Fortinet has already published the FortiSIEM Database hard-coded Credentials Security Advisory on January 12, 2020.
Background: There is a hard coded password to access the database used. This hard-coded password vulnerability in the FortiSIEM database component can allow attackers to access the device database using static credentials. There, an attacker could obtain comprehensive information about the devices managed by SIEM solution. FortiSIEM up to version 5.2.5 is affected and the manufacturer recommends upgrading to FortiSIEM 5.2.6 or higher.
Further details can be found in the ZDNet article ZDNet article. Are some of you are affected as a Fortinet software user?