Monroe Electronics Information for VU#662676
Digital Alert Systems DASDEC and Monroe Electronics R189 One-Net firmware exposes private root SSH key
- Vendor Information Help Date Notified: 18 Jan 2013
- Statement Date: 18 Jun 2013
- Date Updated: 24 Jun 2013
Monroe Electronics released Version 2.0-2, which includes a cumulative security update that resolves potential vulnerabilities by removing of default SSH keys, providing a simplified user option to load new SSH keys, changing password handling, and other security enhancements.
Version 2.0-2 was released on 24 April 2013, after soft launch in March 2013. Most device users have already obtained and installed this update.
Users should always maintain secure network connections for their EAS/CAP systems, including firewalls and/or other basic network safeguards, as a standard and common sense best practice. Monroe Electronics has encouraged all users to adhere to FCC guidance and FEMA recommendations in this area.
Users who had previously disabled or changed their SSH keys and default passwords are not impacted, but should apply the v2.0-2 update nonetheless. There have been no reports of any incidents relating to SSH keys, and the company issued this security update as a precautionary measure.
No evidence of predictable session IDs was found after extensive examination of equipment, including fielded devices. The finding appears to be anomaly based on the particular test method used by the researcher, which did not involve the actual device. This issue does not appear in the actual device.
DASDEC users can obtain the DASDEC v2.0-2 software update and release notes by contacting firstname.lastname@example.org. One-Net users can obtain the R189 One-Net v2.0-2 software update and release notes by contacting customer service at email@example.com.
Monroe Electronics has released firmware version 2.0-2 for R189 One-Net and R189SE One-NetSE devices.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.