Today the folks at DHS ICS-CERT published an advisory [Link added 12-30-12] for an
insufficient entropy vulnerability in the Tropos Wireless Mesh Routers. The
vulnerability was reported by four University researchers; Nadia Heninger, J.
Alex Haldermanb, Zakir Durumeric, and Eric Wustrow. This advisory was
originally published on the US CERT secure portal almost two months ago.
The insufficient entropy results in weak keys for SSH
connections. This could allow a highly skilled attacker to execute a man-in-the-middle
attack, allowing the attacker to gain unauthorized access to the system or
allow the compromise of the integrity of system data.
Tropos has ‘released customer notification’ (a note on their
web page not an active notice sent to customers) and prepared an OS update
available for download. It looks like ICS-CERT has stopped commenting on the
efficacy of these updates; either that or Tropos has not had their update
verified.
Nothing new or exciting here; just another inadequately
executed security system.
Posts
No comments:
Post a Comment