CVE-2017-5242: Nexpose/InsightVM Virtual Appliance Duplicate SSH Host Key

Last updated at Sat, 19 Aug 2017 11:10:41 GMT

Today, Rapid7 is notifying Nexpose and InsightVM users of a vulnerability that affects certain virtual appliances. While this issue is relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about this issue, please don't hesitate to contact your customer success manager (CSM), or your usual support contact.

We apologize for any inconvenience this may cause our customers. We take our customers' security very seriously and strive to provide full transparency and clarity so users can take action to protect their assets as soon as practicable.

Description of CVE-2017-5242

Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.

A malicious user with privileged access to one of these vulnerable virtual appliances could retrieve the SSH host private key and use it to impersonate another user's vulnerable appliance.

In order to do so, an attacker would also need to redirect traffic from the victim's appliance to the attacker's appliance. Likewise, an attacker that can capture SSH traffic between a victim's client machine and the victim's virtual appliance could decrypt this traffic.

In either attack scenario, an attacker would need to gain a privileged position on a victim's network in order to capture or redirect network traffic. Since our virtual appliances are rarely exposed directly to the internet, this added complexity makes it a relatively low-risk vulnerability.

Am I affected?

Customers can determine whether their virtual appliance is affected by running the following command:

stat /etc/ssh/ssh_host_* | grep Modify  
  
Modify: 2017-04-29 13:20:13.684650643 -0700  
Modify: 2017-04-29 13:20:13.684650643 -0700  
Modify: 2017-04-29 13:20:13.724650642 -0700  
Modify: 2017-04-29 13:20:13.724650642 -0700  
Modify: 2017-04-29 13:20:13.764650641 -0700  
Modify: 2017-04-29 13:20:13.764650641 -0700  
Modify: 2017-04-29 13:20:13.592650647 -0700  
Modify: 2017-04-29 13:20:13.592650647 -0700  

Affected virtual appliances contain SSH host keys generated between April 5th, 2017 and May 3rd, 2017. If the modified date for any of the SSH host keys falls in this range, then the virtual appliance is affected and the remediation steps below should be completed.

Remediation

Customers should either download and deploy the latest virtual appliance or regenerate SSH host keys, using these commands:

/bin/rm -v /etc/ssh/ssh_host_*  
dpkg-reconfigure openssh-server  
/etc/init.d/ssh restart  

Post-remediation

After regenerating the SSH host keys, customers will see a "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" notice the next time they SSH to the virtual appliance. Customers should run the following command on the client they use to SSH to the virtual appliance.

ssh-keygen -R <Virtual_Appliance_FQDN_or_IP>  

Resources

The latest virtual appliances are available at: https://community.rapid7.com/docs/DOC-2595

Additional details to resolve “REMOTE HOST IDENTIFICATION HAS CHANGED!” warning can be found at: https://www.cyberciti.biz/faq/warning-remote-host-identification-has-changed-err or-and-solution/