The Meinberg SyncBox/PTP/PTPv2 devices have default SSH keys which allow attackers to get root access to the devices. All firmware versions up to v5.34o, v5.34s, v5.32* or 5.34g are affected. The private key is also used in an internal interface of another Meinberg Device and can be extracted from a firmware update of this device. An update to fix the vulnerability was published by the vendor.
All Meinberg SyncBox/PTP/PTPv2 devices with firmware versions up to:
"The Meinberg SyncBox/PTPv2 simplifies a migration towards PTP/IEEE 1588-2008 by providing a wide range of legacy time synchronization outputs. It is synchronized by a PTP Grandmaster and can be used as a time source for equipment that requires IRIG, PPS, 10MHz or E1 telecom carrier signals."(provided by Meinberg)
Connect over SSH to the device as root using the private RSA key.
An attacker could log in as the root user with the hard coded rsa key. Additional man-in-the-middle attacks on the ssh sessions are possible because of the static host key.
Apply the firmware update provided by Meinberg. As an alternative remove the following authorized key, clear the known hosts file and regenerate the host keys.
Authorized Key RSA:
The keys are stored in different locations. The following files should be checked:
|2019/10/14||initial vendor response|
|2019/10/14||further details have been provided to the vendor|
|2019/10/15||further information requested|
|2019/10/15||vendor provided further information|
|2019/10/16||timeline for fixes requested|
|2019/10/16||vendor requests more time|
|2019/10/16||more time permitted|
|2019/10/29||vendor provided detailed roadmap of planned fixes, first publication and full disclosure|
|2019/10/29||roadmap and timeline accepted|
|2019/11/13||notification on start of fix development|
|2019/11/22||notification that fix is implemented and in approval process|
|2019/12/16||Meinberg informed their customers via a newsletter and short publication about the vulnerability and the fix|
|2020/01/09||security advisory published by Meinberg|
|2020/01/13||researchers security advisory published|