{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/142546#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nSMA Technologies OpCon UNIX agent adds the same SSH key on every installation and subsequent updates. An attacker with access to the private key can gain root access on affected systems.\r\n\r\n### Description\r\nDuring OpCon UNIX agent installation and updates, an SSH public key is added to the root account's `authorized_keys` file. The corresponding private key titled `sma_id_rsa` is included with the installation files and is not encrypted with a passphrase. Removal of the OpCon software does not remove the entry from the `authorized_keys` file.\r\n\r\n### Impact\r\nAn attacker with access to the private key included with the OpCon UNIX agent installation files can gain SSH access as root on affected systems.\r\n\r\n### Solution\r\n#### Remove private key\r\nSMA Technologies has [provided a tool](https://smatechnologies.hosted-by-files.com/SMAUnixLSAMVulnerabilityFix/) to address the issue.\r\n\r\nAnother option is to manually remove the SSH key entry from root's `authorized_keys` file. The key can be identified by its fingerprints:\r\n\r\n`SHA256:qbgTVNkLGI5G7erZqDhte63Vpw+9g88jYCxMuh8cLeg`\r\n`MD5:f1:6c:c9:ba:21:66:ce:7c:5a:55:e2:4d:07:72:cc:31`\r\n\r\nDepending on the shell and operating system there are [various ways](https://serverfault.com/questions/413231/how-to-get-all-fingerprints-for-ssh-authorized-keys2-file) to generate fingerprints for public keys listed in `authorized_keys`.\r\n\r\n#### Upgrade\r\nSMA Technologies [reports](https://kb.cert.org/vuls/id/142546#SMA%20Technlogies) that \"We have updated our UNIX agent version 21.2 package to no longer include (and also remove) any existing vulnerability.\"\r\n\r\n### Acknowledgements\r\nThanks to Nick Holland at Holland Consulting for researching and reporting this vulnerability.\r\n\r\nThis document was written by Kevin Stephens.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"On Wednesday, March 16th, SMA was made aware of a critical security vulnerability in the OpCon UNIX agent that affects version 21.2 and earlier of the agent. We have analyzed the reported vulnerability and have created a utility that can be applied to remove the vulnerability from affected systems. The utility should be run as soon as possible to all UNIX/Linux/AIX systems using the OpCon UNIX agent to prevent any potential exploitation.\r\n\r\nWe have updated our UNIX agent version 21.2 package to no longer include (and also remove) any existing vulnerability.","title":"Vendor statment from SMA Technologies"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/142546"},{"url":"https://smatechnologies.hosted-by-files.com/SMAUnixLSAMVulnerabilityFix/","summary":"https://smatechnologies.hosted-by-files.com/SMAUnixLSAMVulnerabilityFix/"},{"url":"https://serverfault.com/questions/413231/how-to-get-all-fingerprints-for-ssh-authorized-keys2-file","summary":"https://serverfault.com/questions/413231/how-to-get-all-fingerprints-for-ssh-authorized-keys2-file"},{"url":"https://smatechnologies.hosted-by-files.com/SMAUnixLSAMVulnerabilityFix/","summary":"Reference(s) from vendor \"SMA Technologies\""}],"title":"SMA Technologies OpCon UNIX agent adds the same SSH key to all installations","tracking":{"current_release_date":"2022-06-21T16:38:18+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#142546","initial_release_date":"2022-06-21 16:38:18.075218+00:00","revision_history":[{"date":"2022-06-21T16:38:18+00:00","number":"1.20220621163818.1","summary":"Released on 2022-06-21T16:38:18+00:00"}],"status":"final","version":"1.20220621163818.1"}},"vulnerabilities":[{"title":"SMA Technologies OpCon prior to and including version 21.","notes":[{"category":"summary","text":"SMA Technologies OpCon prior to and including version 21.2 silently installs a public SSH key into the root account's \"authorized_keys\" file. The public and private key are are distributed with OpCon. An attacker with access to the private key can gain root access on affected systems."}],"cve":"CVE-2022-2154","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#142546"}],"product_status":{"known_affected":["CSAFPID-8f13b18a-39e5-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"SMA Technologies","product":{"name":"SMA Technologies Products","product_id":"CSAFPID-8f13b18a-39e5-11f1-8422-122e2785dc9f"}}]}}