search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Embedded devices use non-unique X.509 certificates and SSH host keys

Vulnerability Note VU#566724

Original Release Date: 2015-11-25 | Last Revised: 2016-09-06

Overview

Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.

Description

CWE-321: Use of Hard-coded Cryptographic Key - Multiple CVEs

Research by Stefan Viehbཬk of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates). Affected devices range broadly from home routers and IP cameras to VOIP phones.

For the majority of vulnerable devices, reuse of certificates and keys are limited to the product lines of individual vendors. There are some instances where identical certificates and keys are used by multiple vendors. In these cases, the root cause may be due to firmware that is developed from common SDKs, or OEM devices using ISP-provided firmware.

Vulnerable devices may be subject to impersonation, man-in-the-middle, or passive decryption attacks. It may be possible for an attacker to obtain credentials or other sensitive information that may be used in further attacks. For additional details about the research and affected products by certificates and SSH host keys, refer to the original SEC Consult blog post on the topic, as well as the nine-month follow-up blog.

Impact

A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.

Solution

In most cases, the CERT/CC is unaware of a practical solution to this problem. Some vendors have indicated that updates or guidance will be provided, and this information will be updated within individual vendor information pages below when known. Users are encouraged to contact device vendors for more information.

Change X.509 certificates or SSH host keys

Where possible, users of affected devices should manually replace X.509 certificates or SSH host keys so that they are unique to the device.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent a capable attacker from intercepting and decrypting vulnerable communications, but it may limit an attacker's ability to make use of compromised credentials from an untrusted host.

Vendor Information

566724
Expand all

Actiontec

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   October 16, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco

Notified:  September 24, 2015 Updated:  December 01, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151125-ci

Addendum

Cisco has assigned CVE-2015-6358 for their affected products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems, Inc.

Notified:  September 24, 2015 Updated:  December 01, 2015

Statement Date:   November 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

General Electric

Notified:  September 24, 2015 Updated:  February 03, 2016

Statement Date:   November 04, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Huawei Technologies

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   November 02, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetComm Wireless Limited

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   September 29, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sierra Wireless

Notified:  September 24, 2015 Updated:  December 01, 2015

Statement Date:   November 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---vu_566724/

Addendum

CVE-2015-8260 has been assigned for affected Sierra Wireless products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Technicolor

Notified:  September 24, 2015 Updated:  November 12, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

CVE-2015-7276 has been assigned for affected Technicolor products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubiquiti Networks

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   September 29, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unify Inc

Notified:  September 25, 2015 Updated:  December 01, 2015

Statement Date:   September 28, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://networks.unify.com/security/advisories/OBSO-1511-02.pdf https://networks.unify.com/security/advisories/OBSO-1511-02-A.pdf

Addendum

CVE-2015-8251 has been assigned for affected Unify products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZTE Corporation

Notified:  September 24, 2015 Updated:  November 05, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

CVE-2015-7255 has been assigned for affected ZTE products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  September 24, 2015 Updated:  December 01, 2015

Statement Date:   November 05, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.zyxel.com/support/announcement_SSH_private_key_and_certificate_vulnerability.shtml

Addendum

CVE-2015-7256 has been assigned for affected ZyXEL products

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ADB

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ADTRAN

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel-Lucent

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alpha Networks Inc

Notified:  September 24, 2015 Updated:  November 20, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  February 23, 2016 Updated:  February 23, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Aztech

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Clear

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Comtrend Corporation

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Deutsche Telekom

Notified:  September 25, 2015 Updated:  September 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DrayTek Corporation

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Edimax Computer Company

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Green Packet

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Innatech

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Korenix

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linksys

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mezon

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mobinet

Updated:  November 20, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Motorola, Inc.

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Moxa Inc

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

National Cyber Security Center - Netherlands

Notified:  December 03, 2015 Updated:  December 03, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netgear, Inc.

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Opengear

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pace

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Robustel

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sagemcom

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Seagate Technology LLC

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Seowon Intech Inc

Notified:  September 24, 2015 Updated:  November 20, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TP-LINK

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TRENDnet

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Vodafone Group, Inc.

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Western Digital Technologies

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Zhone

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

amx

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal 4.8 E:F/RL:U/RC:C
Environmental 3.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Stefan Viehböck of SEC Consult for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-6358, CVE-2015-7255, CVE-2015-7256, CVE-2015-7276, CVE-2015-8251, CVE-2015-8260
Date Public: 2015-11-25
Date First Published: 2015-11-25
Date Last Updated: 2016-09-06 16:03 UTC
Document Revision: 68

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.