Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2014-8779: SSH Host keys on Pexip Infinity

From: giles () pexip com
Date: Thu, 29 Jan 2015 12:26:19 +0000
Summary
=======

The operating system used by Pexip Infinity does not create unique SSH
host keys on deployment of new Management and Conferencing Nodes, using
fixed host keys instead. Host keys are used to verify the identity of
the remote host when connecting to it over SSH. These keys are contained
in the publicly available software image.

An attacker with privileged network access may make use of these keys to
spoof the identity of a Pexip Infinity installation or conduct
man-in-the-middle attacks on administrative SSH sessions. This may
permit the attacker access to credentials used to authenticate sessions
over SSH and provide shell access to the affected systems.

This issue is resolved in Pexip Infinity version 8.

References
=========
CVE-2014-8779
http://pexip.com/security-bulletins
Previous By Date Next
Previous By Thread Next

Current thread: