Embedded devices use non-unique X.509 certificates and SSH host keys

Overview

Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.

Description

CWE-321: Use of Hard-coded Cryptographic Key - Multiple CVEs

Research by Stefan Viehbཬk of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates). Affected devices range broadly from home routers and IP cameras to VOIP phones.

For the majority of vulnerable devices, reuse of certificates and keys are limited to the product lines of individual vendors. There are some instances where identical certificates and keys are used by multiple vendors. In these cases, the root cause may be due to firmware that is developed from common SDKs, or OEM devices using ISP-provided firmware.

Vulnerable devices may be subject to impersonation, man-in-the-middle, or passive decryption attacks. It may be possible for an attacker to obtain credentials or other sensitive information that may be used in further attacks. For additional details about the research and affected products by certificates and SSH host keys, refer to the original SEC Consult blog post on the topic, as well as the nine-month follow-up blog.

---

Impact

A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.

---

Solution

In most cases, the CERT/CC is unaware of a practical solution to this problem. Some vendors have indicated that updates or guidance will be provided, and this information will be updated within individual vendor information pages below when known. Users are encouraged to contact device vendors for more information.

---

Change X.509 certificates or SSH host keys

Where possible, users of affected devices should manually replace X.509 certificates or SSH host keys so that they are unique to the device.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent a capable attacker from intercepting and decrypting vulnerable communications, but it may limit an attacker’s ability to make use of compromised credentials from an untrusted host.

---

Vendor Information

566724

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Actiontec Affected

Notified: September 24, 2015 Updated: November 24, 2015

Statement Date: October 16, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco __ Affected

Notified: September 24, 2015 Updated: December 01, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151125-ci&gt;

Addendum

Cisco has assigned CVE-2015-6358 for their affected products.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).

D-Link Systems, Inc. Affected

Notified: September 24, 2015 Updated: December 01, 2015

Statement Date: November 30, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

General Electric Affected

Notified: September 24, 2015 Updated: February 03, 2016

Statement Date: November 04, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies Affected

Notified: September 24, 2015 Updated: November 24, 2015

Statement Date: November 02, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetComm Wireless Limited Affected

Notified: September 24, 2015 Updated: November 24, 2015

Statement Date: September 29, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sierra Wireless __ Affected

Notified: September 24, 2015 Updated: December 01, 2015

Statement Date: November 26, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---vu_566724/&gt;

Addendum

CVE-2015-8260 has been assigned for affected Sierra Wireless products.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).

Technicolor __ Affected

Notified: September 24, 2015 Updated: November 12, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

CVE-2015-7276 has been assigned for affected Technicolor products.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).

Ubiquiti Networks Affected

Notified: September 24, 2015 Updated: November 24, 2015

Statement Date: September 29, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unify Inc __ Affected

Notified: September 25, 2015 Updated: December 01, 2015

Statement Date: September 28, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://networks.unify.com/security/advisories/OBSO-1511-02.pdf&gt;
• <https://networks.unify.com/security/advisories/OBSO-1511-02-A.pdf&gt;

Addendum

CVE-2015-8251 has been assigned for affected Unify products.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).

ZTE Corporation __ Affected

Notified: September 24, 2015 Updated: November 05, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

CVE-2015-7255 has been assigned for affected ZTE products.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).

ZyXEL __ Affected

Notified: September 24, 2015 Updated: December 01, 2015

Statement Date: November 05, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.zyxel.com/support/announcement_SSH_private_key_and_certificate_vulnerability.shtml&gt;

Addendum

CVE-2015-7256 has been assigned for affected ZyXEL products

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).

ADB Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ADTRAN Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alpha Networks Inc Unknown

Notified: September 24, 2015 Updated: November 20, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Unknown

Notified: February 23, 2016 Updated: February 23, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Aztech Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Clear Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Comtrend Corporation Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Deutsche Telekom Unknown

Notified: September 25, 2015 Updated: September 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DrayTek Corporation Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Edimax Computer Company Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Green Packet Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Innatech Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Korenix Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Linksys Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mezon Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mobinet Unknown

Updated: November 20, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Motorola, Inc. Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Moxa Inc Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

National Cyber Security Center - Netherlands Unknown

Notified: December 03, 2015 Updated: December 03, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Netgear, Inc. Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Opengear Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Pace Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Robustel Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sagemcom Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Seagate Technology LLC Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Seowon Intech Inc Unknown

Notified: September 24, 2015 Updated: November 20, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TP-LINK Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TRENDnet Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Vodafone Group, Inc. Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Western Digital Technologies Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Zhone Unknown

Notified: November 20, 2015 Updated: November 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

amx Unknown

Notified: September 24, 2015 Updated: September 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 45 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	5	AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal	4.8	E:F/RL:U/RC:C
Environmental	3.5	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html&gt;
• <http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html&gt;
• <https://www.sec-consult.com/download/certificates.html&gt;
• <https://www.sec-consult.com/download/ssh_host_keys.html&gt;
• <https://scans.io/&gt;
• <https://scans.io/series/ssh-rsa-full-ipv4&gt;
• <https://scans.io/study/sonar.ssl&gt;
• <https://censys.io>

Acknowledgements

Thanks to Stefan Viehbཬk of SEC Consult for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2015-6358, CVE-2015-7255, CVE-2015-7256, CVE-2015-7276, CVE-2015-8251, CVE-2015-8260
Date Public:	2015-11-25 Date First Published: