what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ceragon FibeAir IP-10 SSH Private Key Exposure

Ceragon FibeAir IP-10 SSH Private Key Exposure
Posted Apr 2, 2015
Authored by Tod Beardsley

Ceragon FibeAir IP-10 suffers from an SSH private key exposure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2015-0936
SHA-256 | 768dfecfdbbc1cece9dc248bd3f46e0b6f857da272a00ca6029519bf8127e833

Ceragon FibeAir IP-10 SSH Private Key Exposure

Change Mirror Download
# Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)

## Product Description

Ceragon produces a series of ruggedized, microwave backhaul devices used
to provide connectivity to mobile, IP-based devices; usually, these
devices are found in either large industrial environments, or installed
on towers to provide "middle-mile" connectivity to mobile customers on
behalf of ISPs. In other words, a FibeAir IP-10 typically act as a router
of IP traffic. A compromise on these devices can expose the
communications of all subscribed devices.

## Vulnerability Summary

Several versions of Ceragon FibeAir IP-10 devices have been identified
as having a static, pre-generated public/private keypair associated with
the "mateidu" user available both locally on these devices, and as part
of update packages. This issue is similar to the previously-reported
default root password, reported by Jasper Greve and identified as
[CVE-2015-0924][1]. This vulnerability was [discovered independently][2]
by HD Moore of Rapid7, Inc., while validating CVE-2015-0924.

## Details

There are two important distinctions from CVE-2015-0924. First, the
mateidu user does not, by default, have root-level access permissions on
the device. In order to obtain root access, an attacker would need to
also exercise a local vulnerability.

Second, even if the user was able to easily replace the mateidu
authorized_keys file, later firmware upgrades replace any existing
authorized_keys file with the standard issue key. Distributions of these
update packages containing the corresponding private key are easily
obtained by using simple search terms on any major search engine.

A Metasploit module has been produced and published to demonstrate the
vulnerability, and is made publicly available so device owners and
maintainers may effectively and easily test any mitigation and patching
solution provided or invented.

### Exposed Key Pair

The shipping public key for the mateidu user has the fingerprint,
`27:c6:ad:f9:a6:4d:22:3f:18:b0:3b:df:81:1c:57:45` , and is:



The private key is:


## Vendor Response

According to the vendor, "A software version that fixes the
vulnerability found in the IP-10 product has been released and is
available to our customers for download through our customer support
resource center. Customers who need assistance are encouraged to contact
a Ceragon customer support representative."

## Timeline

* Jan 16, 2015 (Sat): CVE-2015-0924 disclosed by CERT/CC
* Jan 21, 2015 (Thu): Rapid7 researcher HD Moore discovers this related
* Jan 26, 2015 (Mon): Vendor is notified of the vulnerability
* Feb 02, 2015 (Tue): Vendor confirms report and indicates a fix is
* Feb 11, 2015 (Thu): CERT/CC is notified, assigns VU#573412 and
* Mar 26, 2015 (Thu): Vendor confirms a fix has been released
* Apr 01, 2015 (Wed): [Public disclosure][3] and [Metasploit module][4] is


Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By