Monroe Electronics created a mitigation for a compromised root SSH key vulnerability that impacts the Monroe Electronics DASDEC, according to a report on ICS-CERT.
Mike Davis, a researcher with IOActive, reported the compromised root SSH key vulnerability to CERT Coordination Center (CERT/CC). This remotely exploitable vulnerability is in Monroe Electronics DASDEC I and DASDEC-II appliances. ICS-CERT coordinated with CERT/CC and Monroe Electronics to resolve the vulnerability.
The following Monroe Electronics products suffer from the issue: DASDEC-I and DASDEC-II.
An attacker who exploits this vulnerability could gain root access to the device and affect the availability, integrity, and confidentiality of the system.
Monroe Electronics is a Lyndonville, NY-based company that develops and distributes worldwide electrostatic measuring instruments including electrostatic voltmeters, electrostatic field meters, coulomb meters, and resistivity meters.
The affected products, DASDEC-I and DASDEC-II are emergency alert system (EAS) encoder/decoder (endec) devices used to broadcast EAS messages over digital and analog channels. According to Monroe Electronics, DASDEC-I and DASDEC-II end up deployed across broadcast radio and television in the communication sector. Monroe Electronics said these products see use mainly in the United States.
DASDEC-I and DASDEC-II had publicly available firmware images for these devices that included a private SSH key that authorizes remote logins to the devices. For software versions prior to 2.0-2, where the default SSH keys did not end up changed, an attacker can then log into a device with root privileges.
CVE-2013-0137 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
No known public exploits specifically target this vulnerability. An attacker with a moderate skill level could exploit this vulnerability.
Monroe Electronics has produced a software update, Version 2.0-2 that resolves this vulnerability. DASDEC users can obtain the DASDEC v2.0-2 software update and release notes by contacting the company’s support center.