Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)

Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)

Product Description

Ceragon produces a series of ruggedized, microwave backhaul devices used to provide connectivity to mobile, IP-based devices; usually, these devices are found in either large industrial environments, or installed on towers to provide "middle-mile" connectivity to mobile customers on behalf of ISPs. In other words, a FibeAir IP-10 typically act as a router of IP traffic. A compromise on these devices can expose the communications of all subscribed devices.

Vulnerability Summary

Several versions of Ceragon FibeAir IP-10 devices have been identified as having a static, pre-generated public/private keypair associated with the "mateidu" user available both locally on these devices, and as part of update packages. This issue is similar to the previously-reported default root password, reported by Jasper Greve and identified as CVE-2015-0924. This vulnerability was discovered independently by HD Moore of Rapid7, Inc., while validating CVE-2015-0924.


There are two important distinctions from CVE-2015-0924. First, the mateidu user does not, by default, have root-level access permissions on the device. In order to obtain root access, an attacker would need to also exercise a local vulnerability.

Second, even if the user was able to easily replace the mateidu authorized_keys file, later firmware upgrades replace any existing authorized_keys file with the standard issue key. Distributions of these update packages containing the corresponding private key are easily obtained by using simple search terms on any major search engine.

A Metasploit module has been produced and published to demonstrate the vulnerability, and is made publicly available so device owners and maintainers may effectively and easily test any mitigation and patching solution provided or invented.

Exposed Key Pair

The shipping public key for the mateidu user has the fingerprint, 27:c6:ad:f9:a6:4d:22:3f:18:b0:3b:df:81:1c:57:45 , and is:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwRIdDlHaIqZXND/l1vFT7ue3rc/DvXh2yx5EFtuxGQRHVxGMazDhV4vj5ANGXDQwUYI0iZh6aOVrDy8I/y9/y+YDGCvsnqrDbuPDjW26s2bBXWgUPiC93T3TA6L2KOxhVcl7mljEOIYACRHPpJNYVGhinCxDUH9LxMrdNXgP5Ok= mateidu@localhost

The private key is:


Vendor Response

According to the vendor, "A software version that fixes the vulnerability found in the IP-10 product has been released and is available to our customers for download through our customer support resource center. Customers who need assistance are encouraged to contact a Ceragon customer support representative."


  • Jan 16, 2015 (Sat): CVE-2015-0924 disclosed by CERT/CC
  • Jan 21, 2015 (Thu): Rapid7 researcher HD Moore discovers this related vulnerability
  • Jan 26, 2015 (Mon): Vendor is notified of the vulnerability
  • Feb 02, 2015 (Tue): Vendor confirms report and indicates a fix is prepared
  • Feb 11, 2015 (Thu): CERT/CC is notified, assigns VU#573412 and CVE-2015-0936.
  • Mar 26, 2015 (Thu): Vendor confirms a fix has been released
  • Apr 01, 2015 (Wed): Public disclosure and Metasploit module is published
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.