CVE-2018-16158
published 2018-08-30CVE-2018-16158: Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
34.93%
98.2th percentile
Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins (to uid 0) via the PubkeyAuthentication option.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eaton | power_xpert_meter_4000_firmware | < 13.4.0.10 | 13.4.0.10 |
| eaton | power_xpert_meter_6000_firmware | < 13.4.0.10 | 13.4.0.10 |
| eaton | power_xpert_meter_8000_firmware | < 13.4.0.10 | 13.4.0.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH authentication attempts using public key (PubkeyAuthentication) to root (uid 0) on Eaton Power Xpert Meter devices; a successful pubkey login to root from an unexpected source is a strong indicator of exploitation. ↗
- →A Metasploit auxiliary scanner module exists for this vulnerability: modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb — monitor for scanning activity targeting SSH on Eaton Xpert Meter devices. ↗
- →Affected firmware versions include 12.1.9.1 and 13.3.2.10 and all versions below 13.4.0.10; identify and prioritize devices running these firmware versions for patching and monitoring. ↗
- ·The hardcoded SSH private key is shared across ALL customer installations of affected Eaton Power Xpert Meter 4000, 6000, and 8000 devices, meaning compromise of the key from any one installation enables attacks against all others running vulnerable firmware. ↗
- ·Both major firmware branches are affected: versions below 12.x.x.x and versions below 13.3.x.x (fixed in 13.4.0.10). Devices on either branch should be treated as vulnerable until patched. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdfhttps://www.ctrlu.net/vuln/0006.htmlhttps://github.com/BrianWGray/msf/blob/master/exploits/linux/ssh/eaton_known_privkey.rbhttp://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdfhttps://www.ctrlu.net/vuln/0006.html
2018-08-30
Published