Vulnerability Note VU#566724
Embedded devices use non-unique X.509 certificates and SSH host keys
Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.
CWE-321: Use of Hard-coded Cryptographic Key - Multiple CVEs
Research by Stefan Viehböck of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates). Affected devices range broadly from home routers and IP cameras to VOIP phones.
A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.
In most cases, the CERT/CC is unaware of a practical solution to this problem. Some vendors have indicated that updates or guidance will be provided, and this information will be updated within individual vendor information pages below when known. Users are encouraged to contact device vendors for more information.
Change X.509 certificates or SSH host keys
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Actiontec||Affected||24 Sep 2015||24 Nov 2015|
|Cisco||Affected||24 Sep 2015||01 Dec 2015|
|D-Link Systems, Inc.||Affected||24 Sep 2015||01 Dec 2015|
|General Electric||Affected||24 Sep 2015||03 Feb 2016|
|Huawei Technologies||Affected||24 Sep 2015||24 Nov 2015|
|NetComm Wireless Limited||Affected||24 Sep 2015||24 Nov 2015|
|Sierra Wireless||Affected||24 Sep 2015||01 Dec 2015|
|Technicolor||Affected||24 Sep 2015||12 Nov 2015|
|Ubiquiti Networks||Affected||24 Sep 2015||24 Nov 2015|
|Unify Inc||Affected||25 Sep 2015||01 Dec 2015|
|ZTE Corporation||Affected||24 Sep 2015||05 Nov 2015|
|ZyXEL||Affected||24 Sep 2015||01 Dec 2015|
|ADB||Unknown||20 Nov 2015||25 Nov 2015|
|ADTRAN||Unknown||20 Nov 2015||25 Nov 2015|
|Alcatel-Lucent||Unknown||24 Sep 2015||24 Sep 2015|
CVSS Metrics (Learn More)
Thanks to Stefan Viehböck of SEC Consult for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2015-6358 CVE-2015-7255 CVE-2015-7256 CVE-2015-7276 CVE-2015-8251 CVE-2015-8260
- Date Public: 25 Nov 2015
- Date First Published: 25 Nov 2015
- Date Last Updated: 03 Feb 2016
- Document Revision: 65
If you have feedback, comments, or additional information about this vulnerability, please send us email.