Advantech EKI Hard-coded SSH Keys Vulnerability

OVERVIEW Independent researcher Neil Smith has identified a hard-coded SSH key vulnerability in Advantech’s EKI-122X series products. Advantech has produced new firmware to mitigate this vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS Advantech reports that the...

KeyBox - A web-based SSH console that centrally manages administrative access to systems

KeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users. Administrators can login...

On the Cisco Default SSH Keys, OPM Hack, the Adobe Zero Day, and More

Dennis Fisher and Mike Mimoso talk about the Cisco default SSH keys, more details of the OPM data breach, the Adobe 0-day and why we never hear about bad APT groups, only the really good ones. Download: digitalunderground208.mp3 Music by Chris Gonsalves...

GitHub accounts hacked: old vulnerability leads to a weak key a large number of retention-vulnerability and early warning-the black bar safety net

See also history of the causes of security risks Seven years ago the developer found the GitHub there is a catastrophic vulnerability after GitHub has closed a number of unidentified by key to access the account. Github allows authorized users to login to affiliated with Spotify, Yandex, and the ...

Dennis Fisher and Mike Mimoso on Facebook's Security Moves, GitHub's Audit and More

Dennis Fisher and Mike Mimoso discuss Facebook’s moves toward encrypted notifications and SHA-2 usage, the audit of GitHub SSH keys and the awesome OpenSesame garage door hack from Samy Kamkar. Download: digitalunderground206.mp3 Music by Chris Gonsalves...

Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug

An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago. The public SSH keys that users associate with their GitH...

Juniper Networks Junos OS Insufficient Entropy Vulnerability

Junos OS on QFX3500 and QFX3600 platforms is prone to a insufficient entropy vulnerability. SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE...

Juniper Junos QFX Low Entropy Vulnerability (JSA10678)

According to its self-reported version number, the remote Juniper Junos device is affected by a low entropy vulnerability due to an insufficient number of bytes being collected from the RANDOMINTERRUPT entropy source when the device is first booted, thus resulting in the generation of weak SSH ke...

Pexip Infinity static ssh keys

Static ssh key is used on nodes creation...

Web Application Brute Force Attack: Crowbar

Web Application Brute Force Attack Crowbar was developed to brute force some protocols in a different manner then other ‘popular’ brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute forcing, Crowbar uses SSH keys. Currently Crowbar supports...

[SECURITY] Fedora 20 Update: facter-1.7.6-1.fc20

Facter is a lightweight program that gathers basic node information about t he hardware and operating system. Facter is especially useful for retrieving things like operating system names, hardware characteristics, IP addresses, MAC addresses, and SSH keys. Facter is extensible and allows gatheri...

Aerohive Hive Manager and Hive OS Multiple Vulnerabilities

, , . '.' '. ', . , '. , .', , / / / ==/ / / / / / / | Y Y / /| / /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. Aerohive Hive Manager and Hive OS Multiple Vulnerabilities Affected Versions: Aerohive Hive Manager Stand-alone and Cloud = 6.1R3 and HiveOS 6.1R3 PDF:...

Gitlab-shell Code Execution

This module takes advantage of the addition of authorized ssh keys in the gitlab-shell functionality of Gitlab. Versions of gitlab-shell prior to 1.7.4 used the ssh key provided directly in a system call resulting in a command injection vulnerability. As this relies on adding an ssh key to an...

Internet Bug Bounty: Multiple issues in looking-glass software (aka from web to BGP injections)

During the month of May 2014 we performed an offensive security analysis, trying to find how hard would it be for a low-to-medium skilled attacker to disrupt the core of the Internet ie. achieve the largest possible impact at the lowest common layer, with minimal resource. This is a confidential...

OnApp SSH keys cloning

ECDSA host keys are not regenerated after system image cloning...

CVE-2013-6372

The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file...

Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key

Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key ----------- Author: ----------- xistence ------------------------- Affected products: ------------------------- Loadbalancer.org Enterprise VA 7.5.2 and below ------------------------- Affected vendors: ------------------------- Loadbalancer.o...

Loadbalancer.org Enterprise VA 7.5.2 Static SSH Key

----------- Author: ----------- xistence ------------------------- Affected products: ------------------------- Loadbalancer.org Enterprise VA 7.5.2 and below ------------------------- Affected vendors: ------------------------- Loadbalancer.org http://www.loadbalancer.org/...

CVE-2013-4959

Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensitive information without the "no-cache" setting, which might allow local users to obtain sensitive information such as 1 host name, 2 MAC address, and 3 SSH keys via the web browser cache...

GetResourceServlet pre-auth arbitrary file download vulnerability

The GetResourceServlet Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously. By taking an attacker controlled name parameter and using this in a call to URLConnection.openConnection, an attacke...