OSVDB ID: 82975

Title: Innominate Multiple mGuard Products Private Key Calculation MitM Weakness

Info

Disclosure

Jun 14, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Jun 14, 2012

Description

Multiple Innominate mGuard products contain a flaw related to an insufficient use of entropy in the generation of keys for HTTPS and SSH. This may allow an attacker to calculate the value of private keys, allowing them to sniff traffic or possibly inject commands to be executed on the remote system via a man-in-the-middle attack.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Authentication Required, SCADA

Solution

Upgrade to version 7.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Innominate Security Technologies AG	mGuard Smart	HW-101020
		HW-101050
		BD-101010
		BD-101020
	mGuard PCI	HW-102020
		HW-102050
		BD-111010
		BD-111020
	mGuard Industrial RS	HW-105000
		BD-501000
		BD-501010
		BD-501020
	mGuard Blade	HW-104020
	mGuard Blade	HW-104050
	mGuard Delta	HW-103050
	mGuard Delta	BD-201000
	EAGLE mGuard	HW-201000
	EAGLE mGuard	BD-301010

References

CVE ID: 2012-3006 (see also: NVD)
Secunia Advisory ID: 49632
Vendor Specific Advisory URL: http://www.innominate.com/data/downloads/software/innominate_security_advisory_20120614_001.pdf
Other Advisory URL: http://www.us-cert.gov/control_systems/pdf/ICSA-12-167-01.pdf
https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/82975

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Innominate Security Technologies AG

mGuard Smart

mGuard PCI

mGuard Industrial RS

mGuard Blade

mGuard Delta

EAGLE mGuard

References

Credit