ExaGrid has removed a private SSH key and weak, hardcoded credentials shipping with all of its disk-based storage appliances.
Updated firmware has been available since March 24 and storage and security managers are urged to update devices to version 4.8 P26.
Researcher James Lee of Rapid7 privately disclosed the issue to the storage vendor on Jan. 29; Rapid7 today publicly disclosed.
Lee found two public keys in the root user’s .ssh/authorized_keys file, one being the ExaGrid support key and the other the exagrid-manufacturing-key-20070604. A private key paired with the manufacturing key ships on the device and is found in the /usr/share/exagridkeyring/ssh/manufacturing directory.
Lee also disclosed that the web interface for ExaGrid appliances ship with default credentials [support:support]. An attacker can use this weak username-password combination to gain full control of an appliance, including running commands as root, Rapid7 said.
“SSH is enabled by default and remote root login is allowed with a default password of ‘inflection,'” Rapid7 said in an advisory published today.
ExaGrid is based in Westborough, Mass., and sells Linux-based backup appliances. Attackers can target the weaknesses in these appliances with a standard SSH client and a Web browser, Rapid7 said.
“The SSH private key, which is common to every shipping device, is located on the device at /usr/share/exagridkeyring/ssh/manufacturing, available to anyone who owns a device or anyone who can download and extract the firmware,” Rapid7 said.
Rapid7 recommends removing the two SSH keys from the /root/.ssh/authorized_keys and /root/.ssh/authorized_keys2 files and changing the root user’s password.
The issue in the web interface may be more challenging since the ExaGrid software update process uses the hardcoded password, and while it’s possible to change the support account password, doing so may break updates, Rapid7 said.
“Since both the SSH and web UI exposures allow for remote OS commands, they’re both equally serious,” said Rapid7’s Tod Beardsley. “The web vector is more likely to be exposed to the internet, but the ssh vector is more straightforward since you’re already in a command shell.”