Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.
CWE-321: Use of Hard-coded Cryptographic Key - Multiple CVEs
Research by Stefan Viehbཬk of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates). Affected devices range broadly from home routers and IP cameras to VOIP phones.
A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.
In most cases, the CERT/CC is unaware of a practical solution to this problem. Some vendors have indicated that updates or guidance will be provided, and this information will be updated within individual vendor information pages below when known. Users are encouraged to contact device vendors for more information.
Change X.509 certificates or SSH host keys
D-Link Systems, Inc. Affected
General Electric Affected
Huawei Technologies Affected
NetComm Wireless Limited Affected
Sierra Wireless Affected
Ubiquiti Networks Affected
Unify Inc Affected
ZTE Corporation Affected
Alpha Networks Inc Unknown
Comtrend Corporation Unknown
Deutsche Telekom Unknown
DrayTek Corporation Unknown
Edimax Computer Company Unknown
Green Packet Unknown
Motorola, Inc. Unknown
Moxa Inc Unknown
Netgear, Inc. Unknown
Seagate Technology LLC Unknown
Seowon Intech Inc Unknown
Vodafone Group, Inc. Unknown
Western Digital Technologies Unknown
Thanks to Stefan Viehbཬk of SEC Consult for reporting this vulnerability.
This document was written by Joel Land.