Digital Alert Systems Information for VU#662676

Digital Alert Systems DASDEC and Monroe Electronics R189 One-Net firmware exposes private root SSH key

Status

Affected

Vendor Statement

Monroe Electronics released Version 2.0-2, which includes a cumulative security update that resolves potential vulnerabilities by removing of default SSH keys, providing a simplified user option to load new SSH keys, changing password handling, and other security enhancements.

    Version 2.0-2 was released on 24 April 2013, after soft launch in March 2013. Most device users have already obtained and installed this update.

    Users should always maintain secure network connections for their EAS/CAP systems, including firewalls and/or other basic network safeguards, as a standard and common sense best practice. Monroe Electronics has encouraged all users to adhere to FCC guidance and FEMA recommendations in this area.

    Users who had previously disabled or changed their SSH keys and default passwords are not impacted, but should apply the v2.0-2 update nonetheless. There have been no reports of any incidents relating to SSH keys, and the company issued this security update as a precautionary measure.

    No evidence of predictable session IDs was found after extensive examination of equipment, including fielded devices. The finding appears to be anomaly based on the particular test method used by the researcher, which did not involve the actual device. This issue does not appear in the actual device.

    DASDEC users can obtain the DASDEC v2.0-2 software update and release notes by contacting support@digitalalertsystems.com. One-Net users can obtain the R189 One-Net v2.0-2 software update and release notes by contacting customer service at eas@monroe-electronics.com.

    Vendor Information

    Digital Alert Systems has released firmware version 2.0-2 for DASDEC-I and DASDEC-II devices.

    Vendor References

http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf
http://www.digitalalertsystems.com/registration_updates.html
http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf
http://www.monroe-electronics.com/EAS_pages/r189se_registration.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.