Sign-up

ID

VAR-201710-0035


CVE

CVE-2015-6358


TITLE

Embedded devices use non-unique X.509 certificates and SSH host keys

Trust: 0.8

sources: CERT/CC: VU#566724

DESCRIPTION

Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys from another installation, aka Bug IDs CSCuw46610, CSCuw46620, CSCuw46637, CSCuw46654, CSCuw46665, CSCuw46672, CSCuw46677, CSCuw46682, CSCuw46705, CSCuw46716, CSCuw46979, CSCuw47005, CSCuw47028, CSCuw47040, CSCuw47048, CSCuw47061, CSCuw90860, CSCuw90869, CSCuw90875, CSCuw90881, CSCuw90899, and CSCuw90913. The encryption key is hard-coded (CWE-321) SEC Consult of Stefan Viehböck According to the survey, many embedded devices are not unique X.509 Certificate and SSH It is said that it is accessible from the Internet using a host key. A hard-coded key in a firmware image or a repository stored by scanning the Internet scans.io ( In particular SSH And the result of SSL Certificate ) A device that uses a certificate whose fingerprint matches the data of can be determined to be vulnerable. Affected devices include household routers and IP From the camera VoIP Wide range of products. CWE-321: Use of Hard-coded Cryptographic Key http://cwe.mitre.org/data/definitions/321.html scans.io https://scans.io/ SSH Result of https://scans.io/series/ssh-rsa-full-ipv4 SSL Certificate https://scans.io/study/sonar.ssl In many vulnerable devices, certificate and key reuse is limited to a limited product line by a specific developer, but there are several examples where multiple developers use the same certificate or key. Or exist. These are common SDK Firmware developed using, or ISP Provided by OEM The root cause is the use of device firmware. Vulnerable equipment is impersonation and intermediary (man-in-the-middle) There is a possibility of being attacked or deciphering the communication contents. Perhaps the attacker can obtain authentication information and other sensitive information and use it for further attacks. Survey results and certificates SSH For more information on systems affected by host key issues, see SEC Consult See the blog post. Certificate https://www.sec-consult.com/download/certificates.html SSH Host key https://www.sec-consult.com/download/ssh_host_keys.html SEC Consult http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.htmlA remote attacker impersonates a user or intermediary (man-in-the-middle) There is a possibility of being attacked or deciphering the communication contents. As a result, confidential information may be leaked. The Cisco RV320 Dual Gigabit WAN VPN is a router product from Cisco Systems, USA. Multiple Cisco Products are prone to an information-disclosure vulnerability. Successful exploits will lead to other attacks. This issue is being tracked by Cisco Bug IDs CSCuw46610, CSCuw46620, CSCuw46637, CSCuw46654, CSCuw46665, CSCuw46672, CSCuw46677, CSCuw46682, CSCuw46705, CSCuw46716, CSCuw46979, CSCuw47005, CSCuw47028, CSCuw47040, CSCuw47048, CSCuw47061, CSCuw90860, CSCuw90869, CSCuw90875, CSCuw90881, CSCuw90899, and CSCuw90913. The flaw stems from the fact that the program does not generate unique keys and certificates

Trust: 3.24

sources: NVD: CVE-2015-6358 // CERT/CC: VU#566724 // JVNDB: JVNDB-2015-006907 // CNVD: CNVD-2015-07863 // BID: 78047 // VULHUB: VHN-84319

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-07863

AFFECTED PRODUCTS

vendor:ciscomodel:wap2000scope:lteversion:2.0.8.0

Trust: 1.0

vendor:ciscomodel:rv315wscope:lteversion:1.01.03

Trust: 1.0

vendor:ciscomodel:wet200scope:lteversion:2.0.8.0

Trust: 1.0

vendor:ciscomodel:rv120wscope:lteversion:1.0.5.9

Trust: 1.0

vendor:ciscomodel:wap200scope:lteversion:2.0.6.0

Trust: 1.0

vendor:ciscomodel:wap4410nscope:lteversion:2.0.7.8

Trust: 1.0

vendor:ciscomodel:rv320scope:lteversion:1.3.1.10

Trust: 1.0

vendor:ciscomodel:rv220wscope:lteversion:1.0.4.17

Trust: 1.0

vendor:ciscomodel:rv180wscope:lteversion:1.0.5.4

Trust: 1.0

vendor:ciscomodel:srp520scope:lteversion:1.01.29

Trust: 1.0

vendor:ciscomodel:wrv200scope:eqversion:1.0.39

Trust: 1.0

vendor:ciscomodel:pvc2300scope:lteversion:1.1.2.6

Trust: 1.0

vendor:ciscomodel:rv180scope:lteversion:1.0.5.4

Trust: 1.0

vendor:ciscomodel:wrvs4400nscope:lteversion:2.0.2.2

Trust: 1.0

vendor:ciscomodel:wap4400nscope:lteversion: -

Trust: 1.0

vendor:ciscomodel:spa400scope:lteversion:1.1.2.2

Trust: 1.0

vendor:ciscomodel:wvc2300scope:lteversion:1.1.2.6

Trust: 1.0

vendor:ciscomodel:rvs4000scope:lteversion:2.0.3.4

Trust: 1.0

vendor:ciscomodel:srw224pscope:lteversion:2.0.2.4

Trust: 1.0

vendor:ciscomodel:srp520-uscope:lteversion:1.2.6

Trust: 1.0

vendor:ciscomodel:wrp500scope:lteversion:1.0.1.002

Trust: 1.0

vendor:ciscomodel:wrv210scope:lteversion:2.0.1.5

Trust: 1.0

vendor:ciscomodel:rtp300scope:lteversion:3.1.24

Trust: 1.0

vendor:ciscomodel:rv325scope:lteversion:1.3.1.10

Trust: 1.0

vendor:actiontecmodel: - scope: - version: -

Trust: 0.8

vendor:ciscomodel: - scope: - version: -

Trust: 0.8

vendor:d linkmodel: - scope: - version: -

Trust: 0.8

vendor:general electricmodel: - scope: - version: -

Trust: 0.8

vendor:huaweimodel: - scope: - version: -

Trust: 0.8

vendor:netcommmodel: - scope: - version: -

Trust: 0.8

vendor:sierramodel: - scope: - version: -

Trust: 0.8

vendor:technicolormodel: - scope: - version: -

Trust: 0.8

vendor:ubiquitimodel: - scope: - version: -

Trust: 0.8

vendor:unifymodel: - scope: - version: -

Trust: 0.8

vendor:ztemodel: - scope: - version: -

Trust: 0.8

vendor:zyxelmodel: - scope: - version: -

Trust: 0.8

vendor:zyxelmodel:c1000zscope: - version: -

Trust: 0.8

vendor:zyxelmodel:fr1000zscope: - version: -

Trust: 0.8

vendor:zyxelmodel:gs1900-24scope: - version: -

Trust: 0.8

vendor:zyxelmodel:gs1900-8scope: - version: -

Trust: 0.8

vendor:zyxelmodel:nwa1100-nscope: - version: -

Trust: 0.8

vendor:zyxelmodel:nwa1100-nhscope: - version: -

Trust: 0.8

vendor:zyxelmodel:nwa1121-niscope: - version: -

Trust: 0.8

vendor:zyxelmodel:nwa1123-acscope: - version: -

Trust: 0.8

vendor:zyxelmodel:nwa1123-niscope: - version: -

Trust: 0.8

vendor:zyxelmodel:p-660hn-51scope: - version: -

Trust: 0.8

vendor:zyxelmodel:p-663hn-51scope: - version: -

Trust: 0.8

vendor:zyxelmodel:p8702nscope: - version: -

Trust: 0.8

vendor:zyxelmodel:pmg5318-b20ascope: - version: -

Trust: 0.8

vendor:zyxelmodel:q1000scope: - version: -

Trust: 0.8

vendor:zyxelmodel:sbg3300-n000scope: - version: -

Trust: 0.8

vendor:zyxelmodel:sbg3300-nb00scope: - version: -

Trust: 0.8

vendor:zyxelmodel:sbg3500-n000scope: - version: -

Trust: 0.8

vendor:zyxelmodel:vmg1312-b10ascope: - version: -

Trust: 0.8

vendor:zyxelmodel:vmg1312-b30ascope: - version: -

Trust: 0.8

vendor:zyxelmodel:vmg1312-b30bscope: - version: -

Trust: 0.8

vendor:zyxelmodel:vmg4380-b10ascope: - version: -

Trust: 0.8

vendor:zyxelmodel:vmg8324-b10ascope: - version: -

Trust: 0.8

vendor:zyxelmodel:vmg8924-b10ascope: - version: -

Trust: 0.8

vendor:zyxelmodel:vmg8924-b30ascope: - version: -

Trust: 0.8

vendor:zyxelmodel:vsg1435-b101scope: - version: -

Trust: 0.8

vendor:multiple vendorsmodel: - scope: - version: -

Trust: 0.8

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope: - version: -

Trust: 0.6

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope: - version: -

Trust: 0.6

vendor:ciscomodel:rv325 dual wan gigabit vpn routerscope: - version: -

Trust: 0.6

vendor:ciscomodel:rvs4000 4-port gigabit security router vpnscope:eqversion: -

Trust: 0.6

vendor:ciscomodel:wrv210 wireless-g vpn router rangeboosterscope:eqversion: -

Trust: 0.6

vendor:ciscomodel:wap4410n wireless-n access point poe/advanced securityscope:eqversion: -

Trust: 0.6

vendor:ciscomodel:wrv200 wireless-g vpn router rangeboosterscope:eqversion: -

Trust: 0.6

vendor:ciscomodel:wrvs4400n wirelessscope: - version: -

Trust: 0.6

vendor:ciscomodel:srw224pscope:eqversion:2.0.2.4

Trust: 0.6

vendor:ciscomodel:wap4400nscope:eqversion: -

Trust: 0.6

vendor:ciscomodel:wvc2300scope:eqversion:1.1.2.6

Trust: 0.6

vendor:ciscomodel:rv180scope:eqversion:1.0.5.4

Trust: 0.6

vendor:ciscomodel:wap200scope:eqversion:2.0.6.0

Trust: 0.6

vendor:ciscomodel:wrvs4400nscope:eqversion:2.0.2.2

Trust: 0.6

vendor:ciscomodel:rv180wscope:eqversion:1.0.5.4

Trust: 0.6

vendor:ciscomodel:wap2000scope:eqversion:2.0.8.0

Trust: 0.6

vendor:ciscomodel:pvc2300scope:eqversion:1.1.2.6

Trust: 0.6

vendor:ciscomodel:wet200scope:eqversion:2.0.8.0

Trust: 0.6

vendor:ciscomodel:wvc2300 wireless-g business internet video camera audioscope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:wrvs4400n wireless-n gigabit security router vpnscope:eqversion:-2.0

Trust: 0.3

vendor:ciscomodel:wrv210 wireless-g vpn router rangeboosterscope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:wrv200 wireless-g vpn router rangeboosterscope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:wrp500 wireless-ac broadband router with phone portsscope:eqversion:20

Trust: 0.3

vendor:ciscomodel:wet200 wireless-g business ethernet bridgescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:wap4410n wireless-n access point poe/advanced securityscope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:wap4400n wireless-n access point poescope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:wap2000 wireless-g access point poescope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:wap200 wireless-g access point poe/rangeboosterscope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:srw224p 24-port 2-port gigabit switch webview/poescope:eqversion:10/100+-0

Trust: 0.3

vendor:ciscomodel:spa400 internet telephony gateway with fxo portsscope:eqversion:40

Trust: 0.3

vendor:ciscomodel:small business srp520-u modelsscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:small business srp520 modelsscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rvs4000 4-port gigabit security router vpnscope:eqversion:-0

Trust: 0.3

vendor:ciscomodel:rv325 dual wan gigabit vpn routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rv315w wireless-n vpn routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rv220w wireless network security firewallscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rv180w wireless-n multifunction vpn routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rv180 vpn routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rv120w wireless-n vpn firewallscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:rtp300 broadband routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:pvc2300 business internet video camera audio/poescope:eqversion:-0

Trust: 0.3

sources: CERT/CC: VU#566724 // CNVD: CNVD-2015-07863 // BID: 78047 // JVNDB: JVNDB-2015-006907 // CNNVD: CNNVD-201511-426 // NVD: CVE-2015-6358

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6358
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-6358
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-07863
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201511-426
value: MEDIUM

Trust: 0.6

VULHUB: VHN-84319
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-6358
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2015-6358
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2015-07863
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-84319
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-6358
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.0

Trust: 1.0

sources: CNVD: CNVD-2015-07863 // VULHUB: VHN-84319 // JVNDB: JVNDB-2015-006907 // CNNVD: CNNVD-201511-426 // NVD: CVE-2015-6358

PROBLEMTYPE DATA

problemtype:CWE-295

Trust: 1.1

sources: VULHUB: VHN-84319 // NVD: CVE-2015-6358

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201511-426

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201511-426

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006907

PATCH
title:Zyxel to Fix SSH Private Key and Certificate Vulnerability (CVE-2015-7256)url:http://www.zyxel.com/support/announcement_SSH_private_key_and_certificate_vulnerability.shtml
Trust: 0.8
title:Patches for multiple Cisco product information disclosure vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/67387
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-07863 // 
            
            
            
            JVNDB: JVNDB-2015-006907

EXTERNAL IDS
db:CERT/CCid:VU#566724
Trust: 3.6
db:NVDid:CVE-2015-6358
Trust: 3.4
db:BIDid:78047
Trust: 2.0
db:SECTRACKid:1034257
Trust: 1.7
db:SECTRACKid:1034255
Trust: 1.7
db:SECTRACKid:1034258
Trust: 1.7
db:SECTRACKid:1034256
Trust: 1.7
db:JVNid:JVNVU96100360
Trust: 0.8
db:JVNDBid:JVNDB-2015-006907
Trust: 0.8
db:CNNVDid:CNNVD-201511-426
Trust: 0.7
db:CNVDid:CNVD-2015-07863
Trust: 0.6
db:VULHUBid:VHN-84319
Trust: 0.1
sources:
            
            
            CERT/CC: VU#566724 // 
            
            
            
            CNVD: CNVD-2015-07863 // 
            
            
            
            VULHUB: VHN-84319 // 
            
            
            
            BID: 78047 // 
            
            
            
            JVNDB: JVNDB-2015-006907 // 
            
            
            
            CNNVD: CNNVD-201511-426 // 
            
            
            
            NVD: CVE-2015-6358

REFERENCES
url:http://www.kb.cert.org/vuls/id/566724
Trust: 2.8
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151125-ci
Trust: 2.6
url:http://www.securityfocus.com/bid/78047
Trust: 1.7
url:http://www.securitytracker.com/id/1034255
Trust: 1.7
url:http://www.securitytracker.com/id/1034256
Trust: 1.7
url:http://www.securitytracker.com/id/1034257
Trust: 1.7
url:http://www.securitytracker.com/id/1034258
Trust: 1.7
url:http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html
Trust: 1.6
url:http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html
Trust: 0.8
url:https://www.sec-consult.com/download/certificates.html
Trust: 0.8
url:https://www.sec-consult.com/download/ssh_host_keys.html
Trust: 0.8
url:https://scans.io/
Trust: 0.8
url:https://scans.io/series/ssh-rsa-full-ipv4
Trust: 0.8
url:https://scans.io/study/sonar.ssl
Trust: 0.8
url:https://censys.io
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6358
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7255
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7256
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7276
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8251
Trust: 0.8
url:http://jvn.jp/vu/jvnvu96100360/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-7256
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-6358
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-7255
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-7276
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-8251
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.kb.cert.org/vuls/id/bluu-a2nqxj
Trust: 0.3
sources:
            
            
            CERT/CC: VU#566724 // 
            
            
            
            CNVD: CNVD-2015-07863 // 
            
            
            
            VULHUB: VHN-84319 // 
            
            
            
            BID: 78047 // 
            
            
            
            JVNDB: JVNDB-2015-006907 // 
            
            
            
            CNNVD: CNNVD-201511-426 // 
            
            
            
            NVD: CVE-2015-6358

CREDITS
Stefan Viehböck of SEC Consult.
Trust: 0.3
sources:
            
            
            BID: 78047

SOURCES
db:CERT/CCid:VU#566724
db:CNVDid:CNVD-2015-07863
db:VULHUBid:VHN-84319
db:BIDid:78047
db:JVNDBid:JVNDB-2015-006907
db:CNNVDid:CNNVD-201511-426
db:NVDid:CVE-2015-6358

LAST UPDATE DATE
2024-11-23T22:25:43.673000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#566724date:2016-09-06T00:00:00
db:CNVDid:CNVD-2015-07863date:2015-12-01T00:00:00
db:VULHUBid:VHN-84319date:2017-11-03T00:00:00
db:BIDid:78047date:2015-11-25T00:00:00
db:JVNDBid:JVNDB-2015-006907date:2018-02-28T00:00:00
db:CNNVDid:CNNVD-201511-426date:2017-10-13T00:00:00
db:NVDid:CVE-2015-6358date:2024-11-21T02:34:50.923

SOURCES RELEASE DATE
db:CERT/CCid:VU#566724date:2015-11-25T00:00:00
db:CNVDid:CNVD-2015-07863date:2015-12-01T00:00:00
db:VULHUBid:VHN-84319date:2017-10-12T00:00:00
db:BIDid:78047date:2015-11-25T00:00:00
db:JVNDBid:JVNDB-2015-006907date:2016-02-29T00:00:00
db:CNNVDid:CNNVD-201511-426date:2015-11-26T00:00:00
db:NVDid:CVE-2015-6358date:2017-10-12T15:29:00.217