{"id":12847,"date":"2020-01-28T15:22:30","date_gmt":"2020-01-28T14:22:30","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12847"},"modified":"2020-01-28T15:22:30","modified_gmt":"2020-01-28T14:22:30","slug":"fortinet-closes-two-vulnerabilities-ssh-database-in-its-siem","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/28\/fortinet-closes-two-vulnerabilities-ssh-database-in-its-siem\/","title":{"rendered":"Fortinet closes two vulnerabilities (SSH, Database) in its SIEM"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/28\/fortinet-schlie-zwei-schwachstellen-ssh-database-in-siem-produkten\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]The security vendor Fortinet has released patches that fix the vulnerabilities CVE-2019-17659 and CVE-2019-16153 in their own SIEM product FortiSIEM. The patches are each intended to close a backdoor in SSH and in the product's database that has been torn open by bugs. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg05.met.vgwort.de\/na\/b561352211e0479fa390d653d594b103\" width=\"1\" height=\"1\">I became aware of this issue via the following tweet from Catalin Cimpanu that I read last night. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Fortinet removes SSH and database backdoors from its SIEM product<a href=\"https:\/\/t.co\/nXmd1WgRhD\">https:\/\/t.co\/nXmd1WgRhD<\/a> <a href=\"https:\/\/t.co\/wiSbiW8MCT\">pic.twitter.com\/wiSbiW8MCT<\/a><\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1221783604587573248?ref_src=twsrc%5Etfw\">January 27, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve51bc98b0406e4df69c633c8f5cdcee89\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Only for classification for blog readers who are not in the topic. SIEM is the abbreviation for <a href=\"https:\/\/en.wikipedia.org\/wiki\/Security_Information_and_Event_Management\" target=\"_blank\" rel=\"noopener noreferrer\">Security Information and Event Management<\/a>, actually a meaningful thing. The linked Wikipedia writes: SIEM combines the two concepts Security Information Management (SIM) and Security Event Management (SEM) for real-time analysis of security alarms from applications and network components. SIEM thus serves the computer security of an organization and is a software product that can be installed centrally or used as a cloud service. It is only stupid if a SIEM product itself has weaknesses that make it vulnerable to attack.<\/p>\n<h2>CVE-2019-17659 and CVE-2019-16153 in FortiSIEM<\/h2>\n<p>The vulnerabilities CVE-2019-17659 and CVE-2019-16153 are issues that compromise the security of the FortiSIEM solution.&nbsp; <\/p>\n<h3>SSH vulnerability CVE-2019-17659<\/h3>\n<p>On 15 January 2020 Fortinet published the security advisory <a href=\"https:\/\/fortiguard.com\/psirt\/FG-IR-19-296\" target=\"_blank\" rel=\"noopener noreferrer\">FortiSIEM default SSH key for the \"tunneluser\" account is the same across all appliances<\/a>. FortiSIEM is vulnerable to Denial of Service attacks until version 5.2.6. The use of a hard-coded cryptographic key in FortiSIEM virtually creates a backdoor and may allow a remote, unauthenticated attacker to gain SSH access to the supervisor as a \"tunnel user\" of a restricted user. The attacker can use knowledge of the private key from another installation or a firmware image to do this.<\/p>\n<p>Fortinet advises users to upgrade to FortiSIEM version 5.2.7 and above as this issue is resolved there. For users of FortiSIEM version 5.2.6 and below, the vendor has published a workaround in the security advisory linked above, which shows how to secure these versions against such an attack.<\/p>\n<blockquote>\n<p>Companies using FortiSIEM products should additionally scan their servers for unauthorized access. Because there was a problem in the email communication between Fortinet and the discovering security researcher Klaus, as ZDNet <a href=\"https:\/\/www.zdnet.com\/article\/fortinet-removes-ssh-and-database-backdoors-from-its-siem-product\/\" target=\"_blank\" rel=\"noopener noreferrer\">writes here<\/a>. The researcher released details of the vulnerability on January 3, 2020, twelve days before Fortinet released a patch. This could have led to attacks.<\/p>\n<\/blockquote>\n<h3>Data base vulnerability CVE-2019-16153 <\/h3>\n<p>There is a second vulnerability, CVE-2019-16153, in the database used by FortiSIEM that can also be exploited like a backdoor. Therefore Fortinet has already published the <a href=\"https:\/\/fortiguard.com\/psirt\/FG-IR-19-195\" target=\"_blank\" rel=\"noopener noreferrer\">FortiSIEM Database hard-coded Credentials<\/a> Security Advisory on January 12, 2020.&nbsp; <\/p>\n<p>Background: There is a hard coded password to access the database used. This hard-coded password vulnerability in the FortiSIEM database component can allow attackers to access the device database using static credentials. There, an attacker could obtain comprehensive information about the devices managed by SIEM solution. FortiSIEM up to version 5.2.5 is affected and the manufacturer recommends upgrading to FortiSIEM 5.2.6 or higher. <\/p>\n<p>Further details can be found in the ZDNet article <a href=\"https:\/\/www.zdnet.com\/article\/fortinet-removes-ssh-and-database-backdoors-from-its-siem-product\/\" target=\"_blank\" rel=\"noopener noreferrer\">ZDNet article<\/a>. Are some of you are affected as a Fortinet software user?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]The security vendor Fortinet has released patches that fix the vulnerabilities CVE-2019-17659 and CVE-2019-16153 in their own SIEM product FortiSIEM. The patches are each intended to close a backdoor in SSH and in the product's database that has been torn &hellip; <a href=\"https:\/\/borncity.com\/win\/2020\/01\/28\/fortinet-closes-two-vulnerabilities-ssh-database-in-its-siem\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,22],"tags":[69,1544],"class_list":["post-12847","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-update","tag-security","tag-software"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12847"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12847\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}