Technical Tip: Disallowing the root account from accessing a FortiClient EMS v7.4.5 server installed on VMWare ESX as a virtual OVA template

Description

This article describes security considerations and provides an example of how to disable the root account available in any underlying Linux OS from accessing FortiClient EMS 7.4.5 server. 

Scope

FortiClient EMS server version 7.4.5 deployed from an OVA template and basic knowledge of Linux operating systems.

Solution

Consider a scenario with a bad actor inside the organization who has access to one of a few EMS servers members of the cluster.

If this threat actor has access to the VM console, the threat actor can reboot the server into the single user mode, log in as the root user, and then set up new root password on it. From there, it will be possible to enable SSH for the root and convert FortiClient EMS to a backdoor machine, unbeknownst to the legitimate EMS user.

If something goes wrong, a person responsible for deploying and sustaining the server may potentially be blamed for not securing the VM appliance. This weakness exists in FortiClient EMS server 7.4.5 and before it is fixed in the future releases, this article shows examples and steps on how to prevent it.

On the newly installed FortiClient EMS server, the default ems account is forced to set the new password:

Once the password is set and the user logs in, the default behavior of the EMS server is to give a limited console with specific commands to manage the appliance without access to the underlying Linux OS and the file system:

To demonstrate this weakness: a FortiClient EMS user executes the command to access the database and then escapes as shown below, and the system gives access to the Linux shell. The screenshot below demonstrates this command and then a few subsequent ones showing the current user ID working on the server which is ems. The next command (sudo su) invokes the superuser account (i.e. root) and shows users logged into the system again, one of which is root:

The root user in the Linux OS architectural design will have full access to the file system with all privileges.
Below screenshots demonstrate how the bad actor may login to the server as root and change the password.

1. Log in to the server via the VM console:

2. Access the GRUB boot loader and edit it to make the server boot into the single user mode:

3. The server boots into single user mode and without the challenge of entering the root password. 

4. The root password is successfully changed and becomes a strong security risk for the whole server.

To avoid any possibility of the root user logging in and accessing the server, change the root user shell defined in the /etc/passwd file as shown below, using any built-in Linux editors like vi or vim.

Logging into the server as the single user changes the path to the shell from /bin/bash to /usr/sbin/nologin:

After making this change, log in to the system normally as the built-in EMS user and escape into the system shell via the EMS CLI DB.

Attempt to switch into the super user mode to invoke the root account. Confirm it is denied:

Additionally, it is recommended to disable root access to the server via SSH. Follow the same procedure described above to login into the server via the single user and then modify the file /etc/ssh/sshd_config to add the following line:

PermitRootLogin no

Lastly, make sure that the virtualized environment where FortiClient EMS server is hosted is secured and can only be accessed by authorized personnel.