CVE-2016-1560
published 2017-04-21CVE-2016-1560: ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.29%
99.4th percentile
ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| exagrid | ex10000e_firmware | — | — |
| exagrid | ex13000e_firmware | — | — |
| exagrid | ex21000e_firmware | — | — |
| exagrid | ex3000_firmware | — | — |
| exagrid | ex32000e_firmware | — | — |
| exagrid | ex40000e_firmware | — | — |
| exagrid | ex5000_firmware | — | — |
| exagrid | ex7000_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other-----BEGIN RSA PRIVATE KEY-----
MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10
hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa
E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA
GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ
BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg
AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y
iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs
Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj
QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz
ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG
XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk
86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y
x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg==
-----END RSA PRIVATE KEY-----↗
- →Detect SSH login attempts to ExaGrid appliances using username 'root' with password 'inflection' — the hardcoded default credential for the root shell account. ↗
- →Detect SSH authentication attempts using the known ExaGrid backdoor RSA private key (fingerprint derivable from the embedded key_data). Any successful SSH login to an ExaGrid appliance via this key should be treated as a compromise indicator. ↗
- →Alert on SSH sessions to ExaGrid appliances (port 22) that spawn an interactive bash shell (/bin/bash -i) immediately after authentication, which is the post-exploitation pattern used by the Metasploit module. ↗
- →Monitor HTTP/web interface login attempts to ExaGrid appliances using the username 'support' — the hardcoded default credential for the web support account. ↗
- ·Affected firmware versions are strictly before 4.8 P26. Appliances running 4.8 P26 or later are not vulnerable to this default credential issue. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ExaGrid - Known SSH Key and Default Password (Metasploit)
exploitdb·2016-04-07
CVE-2016-1561 ExaGrid - Known SSH Key and Default Password (Metasploit)
ExaGrid - Known SSH Key and Default Password (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule 'ExaGrid Known SSH Key and Default Password',
'Description' => %q{
ExaGrid ships a public/private key pair on their backup appliances to
allow passwordless authentication to other ExaGrid appliances. Since
the private key is easily retrievable, an attacker can use it to gain
unauthorized remote access as root. Additionally, this module will
attempt to use the default password for root, 'inflection'.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
Metasploit
ExaGrid Known SSH Key and Default Password
metasploit
ExaGrid Known SSH Key and Default Password
ExaGrid Known SSH Key and Default Password
ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the default password for root, 'inflection'.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/136634/ExaGrid-Known-SSH-Key-Default-Password.htmlhttp://www.rapid7.com/db/modules/exploit/linux/ssh/exagrid_known_privkeyhttps://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentialshttp://packetstormsecurity.com/files/136634/ExaGrid-Known-SSH-Key-Default-Password.htmlhttp://www.rapid7.com/db/modules/exploit/linux/ssh/exagrid_known_privkeyhttps://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials
2017-04-21
Published