Pexip Infinity Non-Unique SSH Host Keys

2015.01.30

Credit: giles

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2014-8779

CWE: CWE-254

CVSS Base Score: 7.1/10

Impact Subscore: 6.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Complete

Availability impact: None

Summary
=======
The operating system used by Pexip Infinity does not create unique SSH
host keys on deployment of new Management and Conferencing Nodes, using
fixed host keys instead. Host keys are used to verify the identity of
the remote host when connecting to it over SSH. These keys are contained
in the publicly available software image.
An attacker with privileged network access may make use of these keys to
spoof the identity of a Pexip Infinity installation or conduct
man-in-the-middle attacks on administrative SSH sessions. This may
permit the attacker access to credentials used to authenticate sessions
over SSH and provide shell access to the affected systems.
This issue is resolved in Pexip Infinity version 8.
References
=========
CVE-2014-8779
http://pexip.com/security-bulletins

References:

http://pexip.com/security-bulletins

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Pexip Infinity Non-Unique SSH Host Keys

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.