Vulnerability Note VU#662676
Digital Alert Systems DASDEC and Monroe Electronics R189 One-Net firmware exposes private root SSH key
Digital Alert Systems DASDEC and Monroe Electronics One-Net E189 Emergency Alert System (EAS) devices exposed a shared private root SSH key in publicly available firmware images. An attacker with SSH access to a device could use the key to log in with root privileges.
The Digital Alert Systems DASDEC-I and DASDEC-II and Monroe Electronics R189 One-Net/R189SE One-NetSE are Linux-based EAS encoder/decoder (ENDEC) devices that are used to broadcast EAS messages over digital and analog channels. IOActive has reported several security issues affecting these devices. The most severe of these issues is the public disclosure of the default private root SSH key. The less severe issues could also contribute to an attacker's ability to compromise a vulnerable device.
Compromised root SSH key (CVE-2013-0137)
An attacker with the private key and SSH access can log in to a device with root privileges.
Apply an update
To generate new SSH keys, use ssh-kegen.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Digital Alert Systems||Affected||18 Jan 2013||26 Jun 2013|
|Monroe Electronics||Affected||18 Jan 2013||24 Jun 2013|
CVSS Metrics (Learn More)
Thanks to Mike Davis and Cesar Cerrudo of IOActive for reporting these issues. Thanks also to Monroe Electronics for their efforts to contact affected users.
This document was written by Art Manion.
- CVE IDs: CVE-2013-0137
- Date Public: 24 Jun 2013
- Date First Published: 26 Jun 2013
- Date Last Updated: 07 May 2014
- Document Revision: 95
If you have feedback, comments, or additional information about this vulnerability, please send us email.