Loadbalancer.org Enterprise VA 7.5.2 Static SSH Key

Published: 2014-03-18 10:16:16

CVSS Base Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Detection Type:
Remote Vulnerability

Impact:
A remote attacker can exploit this issue to gain unauthorized root access to affected devices. Successfully exploiting this issue allows attackers to completely compromise the devices.

Detection Method:
Try to login as root using the known static private key.

Technical Details:
Loadbalancer.org Enterprise VA versions 7.5.2 and below come with a static public and private key installed for their appliances. When the keys are regenerated, it fails to remove the public key from the authorized_keys2 file, allowing anyone to use the private default key for access.

Recommendations:
Upgrade to version 7.5.3 or newer.

Solution Type:
Vendor Patch

Summary:
Loadbalancer.org Enterprise VA 7.5.2 contains a default SSH private key

Affected Versions:
Loadbalancer.org Enterprise VA versions 7.5.2 and below

References:

http://packetstormsecurity.com/files/125754/Loadbalancer.org-Enterprise-VA-7.5.2-Static-SSH-Key.html

Search
Severity
High
CVSS Score
10.0

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.