Today the folks at DHS ICS-CERT published an advisory [Link added 12-30-12] for an insufficient entropy vulnerability in the Tropos Wireless Mesh Routers. The vulnerability was reported by four University researchers; Nadia Heninger, J. Alex Haldermanb, Zakir Durumeric, and Eric Wustrow. This advisory was originally published on the US CERT secure portal almost two months ago.
The insufficient entropy results in weak keys for SSH connections. This could allow a highly skilled attacker to execute a man-in-the-middle attack, allowing the attacker to gain unauthorized access to the system or allow the compromise of the integrity of system data.
Tropos has ‘released customer notification’ (a note on their web page not an active notice sent to customers) and prepared an OS update available for download. It looks like ICS-CERT has stopped commenting on the efficacy of these updates; either that or Tropos has not had their update verified.
Nothing new or exciting here; just another inadequately executed security system.