Fortinet has issued fixes this month to eliminate two backdoor accounts from FortiSIEM, the company’s SIEM product.

SIEM, which stands for Security Information and Event Management (SIEM), is a type of software used by cyber-security teams.

Owing to the delicate nature of the data processed by a SIEM product and its fundamental role in a company’s cyber-security protections, any backdoor device in these systems is thought a hazardous and extremely serious susceptibility.

Any threat actor who gets access to a SIEM product can use it to conduct scouting on a target’s internal network, and later erase signs of a positive compromise.

On January 15, Fortinet issued a patch for FortiSIEM which detached a backdoor in the SIEM’s SSH connection feature.

“FortiSIEM has a hardcoded SSH public key for user ‘tunneluser’ which is the same between all installs,” said Andrew Klaus, the security researcher who identified this issue.

“An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor. The unencrypted key is also stored inside the FortiSIEM image,” he said.

In addition to the availability of a patch, the only good thing is that this SSH user has access to a limited shell is usually used by hosts to send data back to the FortiSIEM Supervisor (the data collection server), and resultantly, has access to very few features.

Klaus cautions that if an attacker finds a way to avoid this limited shell, they would be sitting right inside a company’s focus of operations.

Companies are directed to install Fortinet’s patch for CVE-2019-17659, or limit access to FortiSIEM’s “tunneluser” port — which works on port 19999, distinct from the standard SSH port 22.

Companies that run FortiSIEM products are also counseled to examine their servers for unlawful access. Owing to an email server issue, there was a miscommunication between Fortinet and Klaus, and the investigator published details about this susceptibility on the internet on January 3, twelve days before Fortinet released a patch — meaning some attacks might have happened.

Leave a Reply

Your email address will not be published. Required fields are marked *