5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
71.5%
Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.
CWE-321: Use of Hard-coded Cryptographic Key - Multiple CVEs
Research by Stefan Viehbཬk of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates). Affected devices range broadly from home routers and IP cameras to VOIP phones.
For the majority of vulnerable devices, reuse of certificates and keys are limited to the product lines of individual vendors. There are some instances where identical certificates and keys are used by multiple vendors. In these cases, the root cause may be due to firmware that is developed from common SDKs, or OEM devices using ISP-provided firmware.
Vulnerable devices may be subject to impersonation, man-in-the-middle, or passive decryption attacks. It may be possible for an attacker to obtain credentials or other sensitive information that may be used in further attacks. For additional details about the research and affected products by certificates and SSH host keys, refer to the original SEC Consult blog post on the topic, as well as the nine-month follow-up blog.
A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.
In most cases, the CERT/CC is unaware of a practical solution to this problem. Some vendors have indicated that updates or guidance will be provided, and this information will be updated within individual vendor information pages below when known. Users are encouraged to contact device vendors for more information.
Change X.509 certificates or SSH host keys
Where possible, users of affected devices should manually replace X.509 certificates or SSH host keys so that they are unique to the device.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent a capable attacker from intercepting and decrypting vulnerable communications, but it may limit an attacker’s ability to make use of compromised credentials from an untrusted host.
566724
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 24, 2015 Updated: November 24, 2015
Statement Date: October 16, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: December 01, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Cisco has assigned CVE-2015-6358 for their affected products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).
Notified: September 24, 2015 Updated: December 01, 2015
Statement Date: November 30, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: February 03, 2016
Statement Date: November 04, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: November 24, 2015
Statement Date: November 02, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: November 24, 2015
Statement Date: September 29, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: December 01, 2015
Statement Date: November 26, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
CVE-2015-8260 has been assigned for affected Sierra Wireless products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).
Notified: September 24, 2015 Updated: November 12, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
CVE-2015-7276 has been assigned for affected Technicolor products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).
Notified: September 24, 2015 Updated: November 24, 2015
Statement Date: September 29, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 25, 2015 Updated: December 01, 2015
Statement Date: September 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
CVE-2015-8251 has been assigned for affected Unify products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).
Notified: September 24, 2015 Updated: November 05, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
CVE-2015-7255 has been assigned for affected ZTE products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).
Notified: September 24, 2015 Updated: December 01, 2015
Statement Date: November 05, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
CVE-2015-7256 has been assigned for affected ZyXEL products
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566724 Feedback>).
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: November 20, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 23, 2016 Updated: February 23, 2016
Unknown
We have not received a statement from the vendor.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 25, 2015 Updated: September 25, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 20, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 03, 2015 Updated: December 03, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: November 20, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: November 20, 2015 Updated: November 25, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2015 Updated: September 24, 2015
Unknown
We have not received a statement from the vendor.
View all 45 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Temporal | 4.8 | E:F/RL:U/RC:C |
Environmental | 3.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Stefan Viehbཬk of SEC Consult for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2015-6358, CVE-2015-7255, CVE-2015-7256, CVE-2015-7276, CVE-2015-8251, CVE-2015-8260 |
---|---|
Date Public: | 2015-11-25 Date First Published: |
blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html
blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html
censys.io
scans.io/
scans.io/series/ssh-rsa-full-ipv4
scans.io/study/sonar.ssl
www.sec-consult.com/download/certificates.html
www.sec-consult.com/download/ssh_host_keys.html
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
71.5%