search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Embedded devices use non-unique X.509 certificates and SSH host keys

Vulnerability Note VU#566724

Original Release Date: 2015-11-25 | Last Revised: 2016-09-06

Overview

Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.

Description

CWE-321: Use of Hard-coded Cryptographic Key - Multiple CVEs

Research by Stefan Viehbཬk of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates). Affected devices range broadly from home routers and IP cameras to VOIP phones.

For the majority of vulnerable devices, reuse of certificates and keys are limited to the product lines of individual vendors. There are some instances where identical certificates and keys are used by multiple vendors. In these cases, the root cause may be due to firmware that is developed from common SDKs, or OEM devices using ISP-provided firmware.

Vulnerable devices may be subject to impersonation, man-in-the-middle, or passive decryption attacks. It may be possible for an attacker to obtain credentials or other sensitive information that may be used in further attacks. For additional details about the research and affected products by certificates and SSH host keys, refer to the original SEC Consult blog post on the topic, as well as the nine-month follow-up blog.

Impact

A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.

Solution

In most cases, the CERT/CC is unaware of a practical solution to this problem. Some vendors have indicated that updates or guidance will be provided, and this information will be updated within individual vendor information pages below when known. Users are encouraged to contact device vendors for more information.

Change X.509 certificates or SSH host keys

Where possible, users of affected devices should manually replace X.509 certificates or SSH host keys so that they are unique to the device.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent a capable attacker from intercepting and decrypting vulnerable communications, but it may limit an attacker's ability to make use of compromised credentials from an untrusted host.

Vendor Information

566724
 
Affected   Unknown   Unaffected

Actiontec

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   October 16, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco

Notified:  September 24, 2015 Updated:  December 01, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

Cisco has assigned CVE-2015-6358 for their affected products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems, Inc.

Notified:  September 24, 2015 Updated:  December 01, 2015

Statement Date:   November 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

General Electric

Notified:  September 24, 2015 Updated:  February 03, 2016

Statement Date:   November 04, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   November 02, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetComm Wireless Limited

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   September 29, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sierra Wireless

Notified:  September 24, 2015 Updated:  December 01, 2015

Statement Date:   November 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

CVE-2015-8260 has been assigned for affected Sierra Wireless products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Technicolor

Notified:  September 24, 2015 Updated:  November 12, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

CVE-2015-7276 has been assigned for affected Technicolor products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubiquiti Networks

Notified:  September 24, 2015 Updated:  November 24, 2015

Statement Date:   September 29, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unify Inc

Notified:  September 25, 2015 Updated:  December 01, 2015

Statement Date:   September 28, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

CVE-2015-8251 has been assigned for affected Unify products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZTE Corporation

Notified:  September 24, 2015 Updated:  November 05, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

CVE-2015-7255 has been assigned for affected ZTE products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  September 24, 2015 Updated:  December 01, 2015

Statement Date:   November 05, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

CVE-2015-7256 has been assigned for affected ZyXEL products

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ADB

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ADTRAN

Notified:  November 20, 2015 Updated:  November 25, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent

Notified:  September 24, 2015 Updated:  September 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Alpha Networks Inc

    Notified:  September 24, 2015 Updated:  November 20, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Apple

    Notified:  February 23, 2016 Updated:  February 23, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Aztech

      Notified:  November 20, 2015 Updated:  November 25, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      Clear

      Notified:  November 20, 2015 Updated:  November 25, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      Comtrend Corporation

      Notified:  November 20, 2015 Updated:  November 25, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor Information

      We are not aware of further vendor information regarding this vulnerability.

      Deutsche Telekom

      Notified:  September 25, 2015 Updated:  September 25, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        DrayTek Corporation

        Notified:  September 24, 2015 Updated:  September 24, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Edimax Computer Company

          Notified:  September 24, 2015 Updated:  September 24, 2015

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Green Packet

            Notified:  November 20, 2015 Updated:  November 25, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor Information

            We are not aware of further vendor information regarding this vulnerability.

            Innatech

            Notified:  November 20, 2015 Updated:  November 25, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor Information

            We are not aware of further vendor information regarding this vulnerability.

            Korenix

            Notified:  November 20, 2015 Updated:  November 25, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor Information

            We are not aware of further vendor information regarding this vulnerability.

            Linksys

            Notified:  September 24, 2015 Updated:  September 24, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Mezon

              Notified:  November 20, 2015 Updated:  November 25, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor Information

              We are not aware of further vendor information regarding this vulnerability.

              Mobinet

              Updated:  November 20, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor Information

              We are not aware of further vendor information regarding this vulnerability.

              Motorola, Inc.

              Notified:  September 24, 2015 Updated:  September 24, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Moxa Inc

                Notified:  November 20, 2015 Updated:  November 25, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor Information

                We are not aware of further vendor information regarding this vulnerability.

                National Cyber Security Center - Netherlands

                Notified:  December 03, 2015 Updated:  December 03, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Netgear, Inc.

                  Notified:  September 24, 2015 Updated:  September 24, 2015

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Opengear

                    Notified:  September 24, 2015 Updated:  September 24, 2015

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Pace

                      Notified:  November 20, 2015 Updated:  November 25, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor Information

                      We are not aware of further vendor information regarding this vulnerability.

                      Robustel

                      Notified:  November 20, 2015 Updated:  November 25, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor Information

                      We are not aware of further vendor information regarding this vulnerability.

                      Sagemcom

                      Notified:  November 20, 2015 Updated:  November 25, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor Information

                      We are not aware of further vendor information regarding this vulnerability.

                      Seagate Technology LLC

                      Notified:  September 24, 2015 Updated:  September 24, 2015

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Seowon Intech Inc

                        Notified:  September 24, 2015 Updated:  November 20, 2015

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor Information

                        We are not aware of further vendor information regarding this vulnerability.

                        TP-LINK

                        Notified:  September 24, 2015 Updated:  September 24, 2015

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          TRENDnet

                          Notified:  September 24, 2015 Updated:  September 24, 2015

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Vodafone Group, Inc.

                            Notified:  September 24, 2015 Updated:  September 24, 2015

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Western Digital Technologies

                              Notified:  September 24, 2015 Updated:  September 24, 2015

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Zhone

                                Notified:  November 20, 2015 Updated:  November 25, 2015

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor Information

                                We are not aware of further vendor information regarding this vulnerability.

                                amx

                                Notified:  September 24, 2015 Updated:  September 24, 2015

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  View all 45 vendors View less vendors


                                  CVSS Metrics

                                  Group Score Vector
                                  Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
                                  Temporal 4.8 E:F/RL:U/RC:C
                                  Environmental 3.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                  References

                                  Acknowledgements

                                  Thanks to Stefan Viehbཬk of SEC Consult for reporting this vulnerability.

                                  This document was written by Joel Land.

                                  Other Information

                                  CVE IDs: CVE-2015-6358, CVE-2015-7255, CVE-2015-7256, CVE-2015-7276, CVE-2015-8251, CVE-2015-8260
                                  Date Public: 2015-11-25
                                  Date First Published: 2015-11-25
                                  Date Last Updated: 2016-09-06 16:03 UTC
                                  Document Revision: 68

                                  Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.