Lucene search
This script is Copyright (C) 2013-2023 Tenable Network Security, Inc.EAS_DEFAULT_KEY.NASLHistoryAug 19, 2013 - 12:00 a.m.
Multiple Vendors EAS Authentication Bypass
2013-08-1900:00:00
This script is Copyright (C) 2013-2023 Tenable Network Security, Inc.
www.tenable.com
18
The remote EAS device permits root login using an SSH key with a publicly available private key. The private key was included in older copies of Monroe Electronics and Digital Alert Systems firmware.
A remote attacker with access to the private key can bypass authentication of the root user.
#TRUSTED 56ef03755c835a1ff3ee2e06c6d26b94fc9e7c7e06b4402236017c574d6765ebd4e71787197d8ec0cd323d5e76d36314b9071abd8ff92a14b284d5c36bb421f483756247b8eb649eb16421161aa284cf69d5f6c475078f23d60473b0cda859fdaaff4118b29ff04cafd36e0078ce6d30ca773e7c05f3bb77622baa50ab4b4e71117134952d166fb3023b2b367d55cf2d6b21918f944ae5ac54646316f78d397819e83ba6b1d1d7957cff46a9843da9b5476281f40c4fad6a419f8abb37251ae0fd3a83b56b8ac3044296e3956edec7e627c9f24b752b1e8377d21b12567d4f32a4088ca123f71415964ba8035fccb6f7aa02aa5a1c0fe874637bae007b1615edd90c67f17fc667c70b8602c0b7b678bcbc84fb39d14a03fb0e5e35ac807c8e35c78db3700a82d87d03709bd17f4908d2392606e8e1549f5a5f9a44a80e6c0f7c257c3b08e4c27c563eb5b993dfcf5ba976bac7149a732f96d4fabdba0fb88395d0fc15809b80e35af5f7cceeecbe250e9c0bebb56e0e47ce6a164e24c78d265c4bafccf28a80054dbdff07fc01f2f581ccf33c030963700320a07e144eae5bd695e8e3fabfb0102e59757e96485ee564fee8bee42761b8da507da3a9e072c64eec5fb85a12f2250ca706b7c12e414757066fca070f1449daec2e5a1bce2735795358c8bd35ae39e1609ae94d082d17f61e003f44576331e7747b82e208ee8f44
#TRUST-RSA-SHA256 05baea3d2d10825e6d65bb0262d45070f2a2bf90ad39f4a025dd867dd19b78ea22d62325d5e1c3c95958f695612ea3d0648707c9cde494a78f62429950bd848adf314705771cd088f56d0ea29498dd59055bb553d1d47724c113036bb492f8907b2b8e57332920a7d811e59b1cb1f6299f6568a1218017d0e8e2c8b0bb5280852c87cdb76fcf6905483888e175e0f4a309c2abe495a3296b59a19dc78411fc156817229373c7496c18c3d5367ea76371052c706dce4bafe8b0f28dc8a67020100b3439ae881af31443d7b74104578aa0520ea94f82e28581990836eb9ace1c636ff0e444864d8f8eb090e3ac7ca600808a34b991799801b311c293f6d7c978abe694a544b427c7a84f60bf5a59293014975d1d151e0c96092d5ed731218d18ba741f3bbfdb082d596115a39040b2346a0369a6d65cb2511bff42d288478ae621d5150d379e35246cb04ff52524c60a8897defee6f89e5a1f56d07b72c993954da2cdda849a5a02c39e81771a32b53b0471d86fd33c50724c1e6a3acf3fea26b71fa9d1f45e0be434096bca250218ba971be9997e20862eb2fb62d4e4afd5db4c493916f2addc44e44baa1c8710b95f46eef936baa9631b9adf471764a8e724c36f898802de2f6081e6deaa2cbd26beea08c12516f38296254401107a127de2abc05af0d64637496114b4f377544c9457fc1bfaa617a12e34b752694a39823648
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(69471);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");
script_cve_id("CVE-2013-0137");
script_bugtraq_id(60810);
script_xref(name:"CERT", value:"662676");
script_name(english:"Multiple Vendors EAS Authentication Bypass");
script_summary(english:"Checks the authorized_keys2.dasdec file for the presence of the compromised key");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an authentication bypass
vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote EAS device permits root login using an SSH key with a
publicly available private key. The private key was included in
older copies of Monroe Electronics and Digital Alert Systems firmware.
A remote attacker with access to the private key can bypass
authentication of the root user.");
script_set_attribute(attribute:"solution", value:"Update to firmware version 2.0-2 or higher.");
script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/662676/");
# https://web.archive.org/web/20130712221439/http://www.informationweek.com/security/vulnerabilities/zombie-apocalypse-broadcast-hoax-explain/240157934
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?637f824e");
# https://arstechnica.com/information-technology/2013/07/we-interrupt-this-program-to-warn-the-emergency-alert-system-is-hackable/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fbb8fb12");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/26");
script_set_attribute(attribute:"patch_publication_date", value:"2013/04/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/h:monroe_electronics:r189_one-net_eas");
script_set_attribute(attribute:"cpe", value:"cpe:/h:digital_alert_systems:dasdec_eas");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2013-2023 Tenable Network Security, Inc.");
script_dependencies("ssh_get_info.nasl");
script_require_ports("Services/ssh", 22);
script_require_keys("Host/local_checks_enabled");
exit(0);
}
include("global_settings.inc");
include("audit.inc");
include("misc_func.inc");
include("ssh_func.inc");
enable_ssh_wrappers();
if (!get_kb_item("Host/local_checks_enabled"))
audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
keygen_command = "test -f /root/.ssh/authorized_keys2.dasdec && ssh-keygen -l -f /root/.ssh/authorized_keys2.dasdec";
line_count_command = 'test -f /root/.ssh/authorized_keys2.dasdec && wc -l /root/.ssh/authorized_keys2.dasdec';
keygen_expected = "1024 0c:89:49:f7:62:d2:98:f0:27:75:ad:e9:72:2c:68:c3 ";
if ("Linux" >!< get_kb_item_or_exit("Host/uname"))
audit(AUDIT_OS_NOT, "Linux");
ret = ssh_open_connection();
if (!ret)
audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());
keygen_output = ssh_cmd(cmd:keygen_command, nosh:TRUE, nosudo:FALSE);
if (keygen_expected >< keygen_output)
{
ssh_close_connection();
vuln_report = NULL;
if (report_verbosity > 0)
{
vuln_report = '\nFound the RSA public key with fingerprint "0c:89:49:f7:62:d2:98:f0:27:75:ad:e9:72:2c:68:c3" in the authorized keys file.\n';
}
security_hole(port:kb_ssh_transport(), extra:vuln_report);
exit(0);
}
if (report_paranoia > 1)
{
line_count_output = ssh_cmd(cmd:line_count_command, nosh:TRUE, nosudo:FALSE);
ssh_close_connection();
matches = eregmatch(pattern:"^([0-9]+) ", string:line_count_output);
if (isnull(matches) || isnull(matches[1]))
# This is set to 1 arbitrarily. It could just as well be set to 0.
# It is set to something <=1 to pass the (... && line_count > 1) check below.
# If we can't get a number out of the wc -l output, we can't advise the user to manually audit.
line_count = 1;
else
line_count = int(matches[1]);
if (line_count > 1)
{
audit_msg =
" Note that Nessus checked only the first key in the authorized_keys2.dasdec file,
yet the file has more than one line. Please manually audit this file.";
exit(0, audit_msg);
}
else
audit(AUDIT_HOST_NOT, "an affected EAS device");
}
else
{
ssh_close_connection();
audit(AUDIT_HOST_NOT, "an affected EAS device");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| monroe_electronics | r189_one-net_eas | cpe:/h:monroe_electronics:r189_one-net_eas | |
| digital_alert_systems | dasdec_eas | cpe:/h:digital_alert_systems:dasdec_eas |
Related
prion
prion
Default configuration
2013-06-30 19:28:00
nvd
nvd
CVE-2013-0137
2013-06-30 19:28:09
cvelist
cvelist
CVE-2013-0137
2013-06-29 21:00:00
ics
ics
Monroe Electronics DASDEC Compromised Root SSH Key
2013-07-03 12:00:00
cve
cve
CVE-2013-0137
2013-06-30 19:28:09
cert
cert
openvas
openvas
Static SSH Key Used
2015-10-14 00:00:00