Security issue: SSL & SSH keys appear hard coded

DOWNLOAD THE LATEST FIRMWARE HERE
User avatar
KBrownConsulting
Member
 
Posts: 71
Joined: Wed Dec 14, 2016 3:29 pm
Has thanked: 15 times
Been thanked: 17 times

Security issue: SSL & SSH keys appear hard coded

Tue Feb 04, 2020 5:39 am

Not sure if this is a new issue with firmware 1.5.5 but I just noticed that the HTTPS cert & SSH private key on all my switches are identical! That suggests the keys are hard coded into the firmware as opposed to being generated on the switches. Hopefully it's obvious why this is bad.

Was this a design decision or a bug? I'm actually hoping the latter so it can be addressed...

While, I understand the general advice about never exposing a switch to the public internet, it's suddenly clear why it's critical to never expose a Netonix switch to the internet. (Or any untrusted network for that matter.) Currently there's ZERO protection against MITM attacks!

At the very least could we get new buttons on the Configuration page to generate a new HTTPS cert & SSH key on demand? Or if it's impossible to generate secure keys on the device, could we get a button that lets us easily upload keys we've generated elsewhere? (Actually having that option might be nice regardless.)

User avatar
Dave
Employee
Employee
 
Posts: 723
Joined: Tue Apr 08, 2014 6:28 pm
Has thanked: 1 time
Been thanked: 158 times

Re: Security issue: SSL & SSH keys appear hard coded

Tue Feb 04, 2020 9:15 am

I will have Stephen look at this today.

User avatar
Stephen
Employee
Employee
 
Posts: 965
Joined: Sun Dec 24, 2017 8:56 pm
Has thanked: 77 times
Been thanked: 169 times

Re: Security issue: SSL & SSH keys appear hard coded

Tue Feb 04, 2020 11:59 am

No, that is by no means by design. If you wouldn't mind, can you send me the MAC address in a PM of at least one of the afflicted switches? I need to check the manufacturing date on them.

We use openssl to generate the keys for the web server and dropbear generate's key's itself.

What may have caused this is that the keys where not deleted before manufacturing. Hence why I need that info from you so I can find out what batch this may have been.

In the mean time, you can regenerate the keys yourself quite easily.
In the serial command prompt perform these commands:

Regenerate keys for dropbear (ssh)
Code: Select all
cmd
rm /etc/dropbear/dropbear*
/etc/init.d/dropbear restart


Regenerate keys for ssl (web server key)
Code: Select all
cmd
rm /etc/conf/lighttpd.pem
/etc/init.d/netonix restart
/etc/init.d/lighttpd restart


I will investigate user's being able to use their own key's if they wish and regenerating them from the web page.

User avatar
KBrownConsulting
Member
 
Posts: 71
Joined: Wed Dec 14, 2016 3:29 pm
Has thanked: 15 times
Been thanked: 17 times

Re: Security issue: SSL & SSH keys appear hard coded

Tue Feb 04, 2020 12:36 pm

Thanks for the prompt reply. PM with MAC address sent.

User avatar
Stephen
Employee
Employee
 
Posts: 965
Joined: Sun Dec 24, 2017 8:56 pm
Has thanked: 77 times
Been thanked: 169 times

Re: Security issue: SSL & SSH keys appear hard coded

Tue Feb 04, 2020 2:09 pm

Thank you for the info.

Just as a follow up to anyone who might be concerned about this.
Apparently this switch was manufactured in late 2016 and shipped with firmware 1.4.2 on it.
I don't know what the manufacturing method was back then as this was over a year before I started.

If one of your switches had image 1.4.2 on it when you first purchased it. I would recommend running the above commands to be safe. It will not cause any disruption's in service.

abatie
Member
 
Posts: 6
Joined: Fri Mar 26, 2021 5:16 pm
Has thanked: 0 time
Been thanked: 1 time

Re: Security issue: SSL & SSH keys appear hard coded

Thu Nov 10, 2022 4:07 pm

I will investigate user's being able to use their own key's if they wish and regenerating them from the web page.


Any progress on this? We are trying to get all of our certs to be valid...

User avatar
KBrownConsulting
Member
 
Posts: 71
Joined: Wed Dec 14, 2016 3:29 pm
Has thanked: 15 times
Been thanked: 17 times

Re: Security issue: SSL & SSH keys appear hard coded

Wed Nov 30, 2022 5:14 pm

You should be able to simply use something like WinSCP (or any scp app of your choice) and replace the follow file with your valid cert:

/etc/conf/lighttpd.pem

Return to Hardware and software issues

Who is online

Users browsing this forum: Bing [Bot] and 22 guests