Not sure if this is a new issue with firmware 1.5.5 but I just noticed that the HTTPS cert & SSH private key on all my switches are identical! That suggests the keys are hard coded into the firmware as opposed to being generated on the switches. Hopefully it's obvious why this is bad.
Was this a design decision or a bug? I'm actually hoping the latter so it can be addressed...
While, I understand the general advice about never exposing a switch to the public internet, it's suddenly clear why it's critical to never expose a Netonix switch to the internet. (Or any untrusted network for that matter.) Currently there's ZERO protection against MITM attacks!
At the very least could we get new buttons on the Configuration page to generate a new HTTPS cert & SSH key on demand? Or if it's impossible to generate secure keys on the device, could we get a button that lets us easily upload keys we've generated elsewhere? (Actually having that option might be nice regardless.)
Security issue: SSL & SSH keys appear hard coded
-
KBrownConsulting - Member
- Posts: 71
- Joined: Wed Dec 14, 2016 3:29 pm
- Has thanked: 15 times
- Been thanked: 17 times
-
Dave - Employee
- Posts: 726
- Joined: Tue Apr 08, 2014 6:28 pm
- Has thanked: 1 time
- Been thanked: 158 times
Re: Security issue: SSL & SSH keys appear hard coded
I will have Stephen look at this today.
-
Stephen - Employee
- Posts: 1033
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: Security issue: SSL & SSH keys appear hard coded
No, that is by no means by design. If you wouldn't mind, can you send me the MAC address in a PM of at least one of the afflicted switches? I need to check the manufacturing date on them.
We use openssl to generate the keys for the web server and dropbear generate's key's itself.
What may have caused this is that the keys where not deleted before manufacturing. Hence why I need that info from you so I can find out what batch this may have been.
In the mean time, you can regenerate the keys yourself quite easily.
In the serial command prompt perform these commands:
Regenerate keys for dropbear (ssh)
Regenerate keys for ssl (web server key)
I will investigate user's being able to use their own key's if they wish and regenerating them from the web page.
We use openssl to generate the keys for the web server and dropbear generate's key's itself.
What may have caused this is that the keys where not deleted before manufacturing. Hence why I need that info from you so I can find out what batch this may have been.
In the mean time, you can regenerate the keys yourself quite easily.
In the serial command prompt perform these commands:
Regenerate keys for dropbear (ssh)
- Code: Select all
cmd
rm /etc/dropbear/dropbear*
/etc/init.d/dropbear restart
Regenerate keys for ssl (web server key)
- Code: Select all
cmd
rm /etc/conf/lighttpd.pem
/etc/init.d/netonix restart
/etc/init.d/lighttpd restart
I will investigate user's being able to use their own key's if they wish and regenerating them from the web page.
-
KBrownConsulting - Member
- Posts: 71
- Joined: Wed Dec 14, 2016 3:29 pm
- Has thanked: 15 times
- Been thanked: 17 times
Re: Security issue: SSL & SSH keys appear hard coded
Thanks for the prompt reply. PM with MAC address sent.
-
Stephen - Employee
- Posts: 1033
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: Security issue: SSL & SSH keys appear hard coded
Thank you for the info.
Just as a follow up to anyone who might be concerned about this.
Apparently this switch was manufactured in late 2016 and shipped with firmware 1.4.2 on it.
I don't know what the manufacturing method was back then as this was over a year before I started.
If one of your switches had image 1.4.2 on it when you first purchased it. I would recommend running the above commands to be safe. It will not cause any disruption's in service.
Just as a follow up to anyone who might be concerned about this.
Apparently this switch was manufactured in late 2016 and shipped with firmware 1.4.2 on it.
I don't know what the manufacturing method was back then as this was over a year before I started.
If one of your switches had image 1.4.2 on it when you first purchased it. I would recommend running the above commands to be safe. It will not cause any disruption's in service.
Re: Security issue: SSL & SSH keys appear hard coded
I will investigate user's being able to use their own key's if they wish and regenerating them from the web page.
Any progress on this? We are trying to get all of our certs to be valid...
-
KBrownConsulting - Member
- Posts: 71
- Joined: Wed Dec 14, 2016 3:29 pm
- Has thanked: 15 times
- Been thanked: 17 times
Re: Security issue: SSL & SSH keys appear hard coded
You should be able to simply use something like WinSCP (or any scp app of your choice) and replace the follow file with your valid cert:
/etc/conf/lighttpd.pem
/etc/conf/lighttpd.pem
7 posts
Page 1 of 1
Who is online
Users browsing this forum: No registered users and 56 guests