Fortinet FortiRecorder 2.7.3 Hardcoded Password Vulnerability

Fortinet FortiRecorder 2.7.3 Hardcoded Password Vulnerability

Original posting:
https://xor.cat/2019/08/05/fortinet-fortirecorder-hardcoded-password/

Text archive available here:
https://xor.cat/archive/2019/08/05/fortinet-fortirecorder-hardcoded-password.txt

## Background

In June of 2019 I discovered a vulnerability in Fortinet's
FortiRecorder[1] product which impacts the FortiCam devices that are
connected to a FortiRecorder.

The FortiRecorder is a network video recorder product which administers
and manages footage from FortiCam devices connected to it.

Version 2.7.0 GA of the FortiRecorder VM is what was initially used to
discover this vulnerability, however I have since tested all versions
through to v2.7.3, and they are all vulnerable to the same flaw.

I have confirmed that this vulnerability affects the FortiCam FCM-MB40
device, however it is very likely that the majority of other FortiCam
models are also affected.

Fortinet has provided a fix for this issue in FortiRecorder v2.7.4.

CVE-2019-6698[2] has been assigned to refer to this vulnerability.

## CVE-2019-6698 - FortiRecorder Hardcoded Password

### Summary

Fortinet FortiRecorder Hardcoded Password Vulnerability

    Product: FortiRecorder - All Models
    Version: v2.7.3 and prior versions
    Vendor: Fortinet
    CVE-ID: CVE-2019-6698
    CWE-798: Use of Hard-coded Credentials

The FortiRecorder appliance sets a hardcoded administrative password on
all FortiCams which join it. This password is identical for all
FortiRecorder instances, and for all cameras connected to each
FortiRecorder.

### Details

Upon joining a FortiCam to a FortiRecorder, the FortiRecorder changes
the account passwords for the FortiCam's web administration interface.

The password set by the FortiRecorder for the `fcamOperator`
administrative account is identical across different FortiCams, and
across different FortiRecorder installations.

Because the username and password for the web administration interface
on the FCM-MB40 is stored in cleartext on the filesystem, it is trivial
for an attacker with access to a FCM-MB40 device to read these
credentials, and use them to illegitimately access other FortiCam
devices.

The username and password which are set by the FortiRecorder, and stored
in plaintext on the FCM-MB40's filesystem in `/etc/appWeb/appweb.pass`
appear as follows:

```
$ cat /etc/appWeb/appweb.pass
admin:**************
fcamOperator:12680b17534491
```

This file can only be accessed by gaining access to the filesystem of
the FortiCam device. I describe some methods of gaining FCM-MB40
filesystem access in this post[3].

### Recommended Remediation

 * Securely generated random passwords should be created for each new
   FortiCam device which joins the FortiRecorder, and all existing
   cameras should have their passwords replaced with securely generated
   random passwords.

### Recommendations For Users

If you are using a FortiRecorder device, consider the below tips in
order harden your devices, and protect your network.

 * Keep these devices in a segregated environment with firewall rules
   preventing them from communicating with the Internet, or other
   networks in your environment, and preventing other devices on your
   network from communicating with them. If possible, prevent all
   devices except the FortiRecorder from communicating with FortiCam
   devices.
 * Ensure the FortiRecorder device and it's attached cameras are all up
   to date.

### Fix Information

Fortinet has provided a patch for this issue in FortiRecorder v2.7.4,
released on August 2nd, 2019.

An account on support.fortinet.com[4] is required to gain access to the
patch.

I have yet to confirm how or whether the patch successfully fixes the
vulnerability.

#  0day.today [2021-09-03]  #