TANDBERG VCS
Static SSH Host Keys

Release Date 2010-04-09
Product Video Communication Server (VCS)
Versions x5.0, x4.3.0, x4.2.1, and possibly earlier
Severity High
Discovered by Jon Hart
Advisory by Timothy D. Morgan <tmorgan (at) vsecurity.com>
Vendor Status Firmware version x5.1.1 released
CVE Candidate CVE-2009-4510
Reference Original Advisory

Product Description

From [1]:

"The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks."

Vulnerability Overview

On December 2nd, VSR identified a SSH service authentication weakness vulnerability in the TANDBERG's Video Communication Server. This issue would allow an attacker with privileged network access to conduct server impersonation and man-in-the-middle attacks on administrator SSH sessions. Successful attacks could yield shell access to vulnerable appliances.

Product Background

The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides several system shell accounts accessible via the SSH protocol.

Vulnerability Details

The TANDBERG VCS appliance is deployed by default with a DSA ssh key pair stored in files:

 /tandberg/sshkeys/ssh_host_dsa_key
 /tandberg/sshkeys/ssh_host_dsa_key.pub

In tested versions of the firmware, this default key has a fingerprint of:

  49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8

No new key is generated upon installation. In addition, this default key would overwrite any SSH server keys, if installed by security-conscious administrators previously, during a firmware upgrade.

Due to the public nature of this key (see firmware downloads) an attacker would be able to conduct server impersonation and man-in-the-middle attacks on SSH connections directed at any TANDBERG VCS device. A successful exploit would most likely yield an attacker shell access to the device with privileges of the victim client.

Versions Affected

VSR has observed this vulnerability in version x4.2.1. Based on preliminary analysis of configuration files and scripts, versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested.

Vendor Response

The following timeline details TANDBERG's response to the reported issue:

2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.
2009-12-22 VSR provided TANDBERG a draft advisory.
2009-12-28 TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue.
2010-01-22 TANDBERG provided VSR with a beta version of the x5.1 firmware, but this did not appear to correct the issue for existing installations, since old vulnerable keys would be preserved.
2010-01-28 TANDBERG explained that changing SSH keys automatically on administrators may cause backward compatibility problems. Therefore, TANDBERG decided to preserve old keys even when upgrading a system which contains a vulnerable key. Administrators will instead be warned in the web console that a vulnerable key is in use and will be expected to update host keys manually.
2010-03-26 TANDBERG provided VSR with a release candidate firmware for version x5.1.1.
2010-04-07 TANDBERG VCS firmware version x5.1.1 released.
2010-04-09 VSR advisory released.

Recommendation

Immediately replace the current SSH host key with a new one. This may be accomplished through one of several methods. One approach is to simply log in to the device locally and use the ssh-keygen utility to replace the keys stored in /tandberg/sshkeys/. Consult TANDBERG documentation for other methods.

After replacing the SSH host keys, it is recommended that the VCS firmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading or downgrading to versions prior to X5.1.1 will cause any custom SSH host keys to be overwritten. Version X5.1.1 and later should preserve any custom host keys previously installed. As a precaution, after upgrading or downgrading VCS firmwares, verify that the host key has not changed back to the publicly known one with fingerprint:

  49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2009-4510 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks to TANDBERG for the quick initial response and cooperation.


References

1. TANDBERG - Video Communication Server
http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp
2. TANDBERG VCS Firmware Downloads
http://ftp.tandberg.com/pub/software/vcs/

Copyright © 2009,2010 Virtual Security Research, LLC. All rights reserved.

2014-09-17
Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com