Security advisory - CVE-2019-17584

Default root SSH key in Meinberg SyncBoxes

Summary

The Meinberg SyncBox/PTP/PTPv2 devices have default SSH keys which allow attackers to get root access to the devices. All firmware versions up to v5.34o, v5.34s, v5.32* or 5.34g are affected. The private key is also used in an internal interface of another Meinberg Device and can be extracted from a firmware update of this device. An update to fix the vulnerability was published by the vendor.

Affected Products

All Meinberg SyncBox/PTP/PTPv2 devices with firmware versions up to:

• v5.34o
• v5.34s
• v5.32*
• v5.34g

Background

"The Meinberg SyncBox/PTPv2 simplifies a migration towards PTP/IEEE 1588-2008 by providing a wide range of legacy time synchronization outputs. It is synchronized by a PTP Grandmaster and can be used as a time source for equipment that requires IRIG, PPS, 10MHz or E1 telecom carrier signals."(provided by Meinberg)

References

• https://w1n73r.de/CVE/2019/17584/
• https://w1n73r.de/CVE/2019/17584/id_rsa
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17584
• https://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1904-syncbox-ptp-ptpv2.htm
• https://www.meinbergglobal.com/download/firmware/syncbox/20191126_syncbox_pxa270x_remove_default_ssh_keys.tgz

PoC

Connect over SSH to the device as root using the private RSA key.

Effect

An attacker could log in as the root user with the hard coded rsa key. Additional man-in-the-middle attacks on the ssh sessions are possible because of the static host key.

Mitigation

Apply the firmware update provided by Meinberg. As an alternative remove the following authorized key, clear the known hosts file and regenerate the host keys.

Authorized Key RSA:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzrkPESKunGZ7VGGqDD2IEFXh9wylPo5TynYdKcXq+kbFGG60fo6scPKgqQBMg44NZit1MdJEw7hUbA9jqGJr5l/93cjwjMDAdrkgW9c5k74nTYvlIwEHy8SVtqR3skm7bQKmFwmErNccS0euxcvVYqFI0vV04m2gJqV0Z4HuiUM=root@linux

The keys are stored in different locations. The following files should be checked:

• /home/root/.ssh/authorized_keys
• /home/root/.ssh/known_hosts
• /root/.ssh/authorized_keys
• /root/.ssh/mbg_authorized_keys
• /etc/ssh/ssh_host_rsa_key
• /etc/ssh/ssh_host_dsa_key
• /etc/ssh_host_rsa_key
• /etc/ssh_host_dsa_key
• /etc/ssh_host_ecdsa_key
• /etc/ssh_host_key

Disclosure Timeline

2019/10/14	vendor contacted
2019/10/14	initial vendor response
2019/10/14	CVE assigned
2019/10/14	further details have been provided to the vendor
2019/10/15	vendor confirmation
2019/10/15	further information requested
2019/10/15	vendor provided further information
2019/10/16	timeline for fixes requested
2019/10/16	vendor requests more time
2019/10/16	more time permitted
2019/10/29	vendor provided detailed roadmap of planned fixes, first publication and full disclosure
2019/10/29	roadmap and timeline accepted
2019/11/13	notification on start of fix development
2019/11/22	notification that fix is implemented and in approval process
2019/12/16	Meinberg informed their customers via a newsletter and short publication about the vulnerability and the fix
2020/01/09	security advisory published by Meinberg
2020/01/13	researchers security advisory published

Credits