Meinberg Security Advisory: [MBGSA-1904] SyncBox PTP/PTPv2

The SyncBox/PTP and SyncBox/PTPv2 firmware was shipped with preconfigured SSH keys. For this reason, a tool has been developed to automatically regenerate SSH keys and remove old and authorized keys. Importing the tool using the update functionality regenerates all SSH host keys. Thus, the next time an SSH login attempt is made to a SyncBox, a warning message that the host key has changed appears.

Threat assessment:

• SyncBox/PTP/PTPv2 firmware for all versions (note systems affected listed in section 2):
  Severity critical.

Updated version:

• SyncBox/PTP/PTPv2-Firmware:
  SyncBox/PTP/PTPv2 firmware: The firmware version is not changed by this tool. A log file is created under "/update.log" to document the success of the key generation process.

1 Description of security vulnerabilities

CVE-2019-17584 severity critical:
SyncBox/PTP and SyncBox/PTPv2 were delivered with default SSH keys. These keys make man-in-the-middle attacks much easier. One of them is also stored as an authorized key that allows root access without a passphrase query via network (found by Simon Winter https://www.xing.com/profile/Simon_Winter17).

2 Affected systems

The use of default SSH Host keys applies to all SyncBox systems where no SSH host keys were manually replaced by the user. Also note that the "/root/authorized_keys" file and the "/root/known_hosts" file do not contain an SSH key that has not been explicitly stored by the user.

To ensure that default SSH keys are not used, the SSH access can be used to verify whether one of the following public keys is included. If one of these keys is the same, a default key is included and a replacement is required.

Authorized Key RSA:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzrkPESKunGZ7VGGqDD2IEFXh9wylPo5TynYdKcXq+kbFGG60fo6scPKgqQBMg44NZit1MdJEw7hUbA9jqGJr5l/93cjwjMDAdrkgW9c5k74nTYvlIwEHy8SVtqR3skm7bQKmFwmErNccS0euxcvVYqFI0vV04m2gJqV0Z4HuiUM=root@linux

Host Key DSA nach DSS:
ssh-dss AAAAB3NzaC1kc3MAAACBAKLap++Vhgo5mI5ulZwkUo3t068grlR7/pyBeGSrpz2aYYOFMiv0sES8l+wdFpDAyxpThztlu2+ZT7UOdSPmnwW6BkAOHFCefkgCEAvc5lpQ8Zdm/nBMsRfhe2fhAQ763f+LK9isV5/Of26wTBPu/Ywh29w9WclMWMEJttFL/0itAAAAFQDKXMby9mynQeAkqYf6XWOKFqUPDwAAAIEAmfsT/0pK/gamryay84w0a6335dIWc3XYuzzigcsGvLol/bF4FXPupKYh/Z+TzD+w/HviF+EhfcgD03k7qVbTMYlvjJsdXGXDH7/xs9Njzk/efRf+y/4ii39dXn3EAK5IkYHWwwFXkM4NVxVoBpi9TfAyQIl1i5vf6GhQMsYz4sYAAACABOLb0v5v71omPjVIuaO+Djl1XbDq6SxJ8u6ivb3ekn9qubYZ2y9FjLksowBwKXg0e5oNyd+yAIidHk1ybWSRJbz84QUNdlE1RbuycxqhecS/7V0Js0nWHRUbCmAO+R8qOLBQEE4lUgKzsOZvy+SgrSUYPanfyHBc78ravO02FTM=

or:

ssh-dss AAAAB3NzaC1kc3MAAACBAMR0jQPvPnHL5CdSQ3WU0J/MCcyZh3H3GRyZvYLh8ZltiJlsxtPw6/BSX8X2YTJwR63vs9zdbAHbyaNwGftHwjRIxTSIvc1B3OIq2BHVNzeSy4DWeuq9rLa660juafcGOq6W2uGbh2oWAQtDVHXfpTtO/wJRXjP0rajJQGcVCX+bAAAAFQCIc25dctuGpRb2G/bnx0Z5vOgD5wAAAIAcop3jzf3BuHCDcj3YxYa7Z5mSYEmxl8YRikNl8u5GFxd70+rcd2ya4H7bOLdnAcav+vG/Sf07eTUKr3yuyN8kdu2UfUG8qzJZgWeiGqO/R9t41lMSJJWu/7ZkATjka8BS5ExEEhUYUHndaEHmtpNM9kAbPvqFHV3ys0Es9w5MtwAAAIBNgavPbL8ZBE9Cv20bhZlHkf6Hxn81OFfG1hzW/4SfEVKRRcys/SbAR1OE9wz3vpquDyxrEgSl/p8csEjpJucJsy3Yb2RdRrQ7VnxPuguQnU6yEkBpthDBemfpz/u2wy/ma+baKTB4yGTaS6THEepbPwFPZoxteIuAREH10aBCYA==root@colibri

Host Key ECDSA:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEOCpD1PKaHibvUUnfwNrvAUPaJEO5zK3BADhNWQzjJ8aCSCmrkWfCAPq8oO59lV2kPX8R/YApXDW/I63HRnygQ=

Host Key RSA: 2048 65537 20029759096134637824756177350467424396787114641882053230308389248270094064857334222957778026324558390692549698510775751106747165055763561793771975289146494551949663109110603632160482668544507568361339755929323482976442850256030421789175116149861118049838843599216553167640758784137135662780164866833227684470427953260761696257865925486291591503575686301422063096123287739945268534378710322372459923264935710362677297008811624245813850204664480744001875509095340001476802104336517178282698460346668260009584402587806591388304148337521197711309487182761201898233647516025627696151168370702113445201140160960591203695983

Host Key RSA: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwL+3U5ZZD8yKOrTm7ZlUdfAGIzDx95CcAYS4BcVwfJpVaWiEQDupOgQE70c21I+k7G8CmxSHZlTf/dXuarVITBXS1ejJk1NxFkiIhj1bSBLB1gNyUhwA1X7YjPTVGLDZeD+0QPwZDAtkCPVCUOTXsjhS7Fmco6yVjSIBkYJ7zjE/A0+XuDvvspHWxOLEXMCFK75iTgMMPSw7s8XvZejMClny+dLr5ehi5MxR8nUYtojm/VeJoL28bFNLtrC2aowNjxqNuKUUDOqaALv8hS0lCxEcKgqRg8TjwAjy5hpH24whEFCJloJkddd3EK1aqLSzCy1ClZPBKu/nPHOWf7EmHw== root@colibri

All SyncBox/PTP/PTPv2 firmware versions up to and including:

• v5.34o,
• v5.34s,
• v5.32*,
• v5.34g

were supplied with default keys.

The SyncBox/PTP/PTPv2 firmware is used by all devices of the SyncBox product family (rail mount and multipack housings).

Whether and to what extent individual customers or SyncBox systems can be attacked depends on their configuration, network infrastructure, and other factors. For this reason, it is not possible to make a general statement about the actual vulnerability to attack of the systems used.

3 Possible security measures

The tool for renewing the SSH keys and removing the authorized and known keys from a SyncBox is located in the update file. The tool can be selected and started using the firmware upload function of the web interface. After a subsequent restart of the SyncBox, the SSH keys are replaced and the authorized keys are emptied. The success of this measure can be checked in "/update.log".

If a user does not want to renew or remove all keys, the following files must be checked and the keys contained therein replaced if necessary. The following list shows the possible storage locations across different firmware versions. The actual storage locations are therefore a subset of the specified ones.

• /home/root/.ssh/authorized_keys
• /home/root/.ssh/known_hosts
• /root/.ssh/authorized_keys
• /root/.ssh/mbg_authorized_keys
• /etc/ssh/ssh_host_rsa_key.pub
• /etc/ssh/ssh_host_rsa_key
• /etc/ssh/ssh_host_dsa_key.pub
• /etc/ssh/ssh_host_dsa_key
• /etc/ssh_host_rsa_key.pub
• /etc/ssh_host_rsa_key
• /etc/ssh_host_dsa_key.pub
• /etc/ssh_host_dsa_key
• /etc/ssh_host_ecdsa_key.pub
• /etc/ssh_host_ecdsa_key
• /etc/ssh_host_key.pub
• /etc/ssh_host_key

Download the SyncBox update file:

• 20191126_syncbox_pxa270x_remove_default_ssh_keys.tgz

All updates are now available to Meinberg customers. We recommend that you replace the SSH keys using the SyncBox firmware update tool.

4 Additional information

For more details and information, visit the following websites:

• How can I update the firmware of a Meinberg SyncBox?

Please contact Meinberg Support if you have any further questions or need assistance.

5 Acknowledgements

We would like to thank Simon Winter and everyone else who helps us to improve our products and make them more secure.
Many thanks!