Security issue: SSL & SSH keys appear hard coded

[KBrownConsulting]

Not sure if this is a new issue with firmware 1.5.5 but I just noticed that the HTTPS cert & SSH private key on all my switches are identical! That suggests the keys are hard coded into the firmware as opposed to being generated on the switches. Hopefully it's obvious why this is bad.

Was this a design decision or a bug? I'm actually hoping the latter so it can be addressed...

While, I understand the general advice about never exposing a switch to the public internet, it's suddenly clear why it's critical to never expose a Netonix switch to the internet. (Or any untrusted network for that matter.) Currently there's ZERO protection against MITM attacks!

At the very least could we get new buttons on the Configuration page to generate a new HTTPS cert & SSH key on demand? Or if it's impossible to generate secure keys on the device, could we get a button that lets us easily upload keys we've generated elsewhere? (Actually having that option might be nice regardless.)

[Dave]

I will have Stephen look at this today.

[Stephen]

No, that is by no means by design. If you wouldn't mind, can you send me the MAC address in a PM of at least one of the afflicted switches? I need to check the manufacturing date on them.

We use openssl to generate the keys for the web server and dropbear generate's key's itself.

What may have caused this is that the keys where not deleted before manufacturing. Hence why I need that info from you so I can find out what batch this may have been.

In the mean time, you can regenerate the keys yourself quite easily.
In the serial command prompt perform these commands:

Regenerate keys for dropbear (ssh)

Code: Select all

cmd
rm /etc/dropbear/dropbear*
/etc/init.d/dropbear restart


Regenerate keys for ssl (web server key)

Code: Select all

cmd
rm /etc/conf/lighttpd.pem
/etc/init.d/netonix restart
/etc/init.d/lighttpd restart


I will investigate user's being able to use their own key's if they wish and regenerating them from the web page.

[KBrownConsulting]

Thanks for the prompt reply. PM with MAC address sent.

[Stephen]

Thank you for the info.

Just as a follow up to anyone who might be concerned about this.
Apparently this switch was manufactured in late 2016 and shipped with firmware 1.4.2 on it.
I don't know what the manufacturing method was back then as this was over a year before I started.

If one of your switches had image 1.4.2 on it when you first purchased it. I would recommend running the above commands to be safe. It will not cause any disruption's in service.

[abatie]

I will investigate user's being able to use their own key's if they wish and regenerating them from the web page.

Any progress on this? We are trying to get all of our certs to be valid...

[KBrownConsulting]

You should be able to simply use something like WinSCP (or any scp app of your choice) and replace the follow file with your valid cert:

/etc/conf/lighttpd.pem