Ceragon FibeAir IP-10 SSH Private Key Exposure

`# Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)  
  
## Product Description  
  
Ceragon produces a series of ruggedized, microwave backhaul devices used  
to provide connectivity to mobile, IP-based devices; usually, these  
devices are found in either large industrial environments, or installed  
on towers to provide "middle-mile" connectivity to mobile customers on  
behalf of ISPs. In other words, a FibeAir IP-10 typically act as a router  
of IP traffic. A compromise on these devices can expose the  
communications of all subscribed devices.  
  
## Vulnerability Summary  
  
Several versions of Ceragon FibeAir IP-10 devices have been identified  
as having a static, pre-generated public/private keypair associated with  
the "mateidu" user available both locally on these devices, and as part  
of update packages. This issue is similar to the previously-reported  
default root password, reported by Jasper Greve and identified as  
[CVE-2015-0924][1]. This vulnerability was [discovered independently][2]  
by HD Moore of Rapid7, Inc., while validating CVE-2015-0924.  
  
## Details  
  
There are two important distinctions from CVE-2015-0924. First, the  
mateidu user does not, by default, have root-level access permissions on  
the device. In order to obtain root access, an attacker would need to  
also exercise a local vulnerability.  
  
Second, even if the user was able to easily replace the mateidu  
authorized_keys file, later firmware upgrades replace any existing  
authorized_keys file with the standard issue key. Distributions of these  
update packages containing the corresponding private key are easily  
obtained by using simple search terms on any major search engine.  
  
A Metasploit module has been produced and published to demonstrate the  
vulnerability, and is made publicly available so device owners and  
maintainers may effectively and easily test any mitigation and patching  
solution provided or invented.  
  
### Exposed Key Pair  
  
The shipping public key for the mateidu user has the fingerprint,  
`27:c6:ad:f9:a6:4d:22:3f:18:b0:3b:df:81:1c:57:45` , and is:  
  
```  
ssh-rsa  
AAAAB3NzaC1yc2EAAAABIwAAAIEAwRIdDlHaIqZXND/l1vFT7ue3rc/DvXh2yx5EFtuxGQRHVxGMazDhV4vj5ANGXDQwUYI0iZh6aOVrDy8I/y9/y+YDGCvsnqrDbuPDjW26s2bBXWgUPiC93T3TA6L2KOxhVcl7mljEOIYACRHPpJNYVGhinCxDUH9LxMrdNXgP5Ok=  
mateidu@localhost  
  
```  
  
The private key is:  
  
```  
-----BEGIN RSA PRIVATE KEY-----  
MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr  
MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+  
IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB  
gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3  
CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv  
4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY  
SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6  
B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV  
93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc  
WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP  
YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll  
7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT  
uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==  
-----END RSA PRIVATE KEY-----  
```  
  
## Vendor Response  
  
According to the vendor, "A software version that fixes the  
vulnerability found in the IP-10 product has been released and is  
available to our customers for download through our customer support  
resource center. Customers who need assistance are encouraged to contact  
a Ceragon customer support representative."  
  
## Timeline  
  
* Jan 16, 2015 (Sat): CVE-2015-0924 disclosed by CERT/CC  
* Jan 21, 2015 (Thu): Rapid7 researcher HD Moore discovers this related  
vulnerability  
* Jan 26, 2015 (Mon): Vendor is notified of the vulnerability  
* Feb 02, 2015 (Tue): Vendor confirms report and indicates a fix is  
prepared  
* Feb 11, 2015 (Thu): CERT/CC is notified, assigns VU#573412 and  
CVE-2015-0936.  
* Mar 26, 2015 (Thu): Vendor confirms a fix has been released  
* Apr 01, 2015 (Wed): [Public disclosure][3] and [Metasploit module][4] is  
published  
  
[1]:https://www.kb.cert.org/vuls/id/936356  
[2]:https://hdm.io/blog/2015/01/20/partial-disclosure-is-annoying/  
[3]:https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15  
[4]:https://github.com/rapid7/metasploit-framework/pull/5054  
  
  
`