PT-2023-10639 · Rapid7 · Nexpose+1
Ken Mizota
·
Published
2023-01-12
·
Updated
2025-04-08
·
CVE-2017-5242
CVSS v3.1
7.7
High
| Vector | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Nexpose virtual appliances versions downloaded between April 5th, 2017 and May 3rd, 2017
InsightVM virtual appliances versions downloaded between April 5th, 2017 and May 3rd, 2017
Description
The issue concerns Nexpose and InsightVM virtual appliances that were downloaded between April 5th, 2017 and May 3rd, 2017. These appliances contain identical SSH host keys, which is unusual because a unique SSH host key should be generated the first time a virtual appliance boots.
Recommendations
For Nexpose virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017, consider regenerating the SSH host key to ensure uniqueness.
For InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017, consider regenerating the SSH host key to ensure uniqueness.
As a temporary workaround, restrict access to the SSH service until a unique SSH host key can be generated.
Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Insightvm
Nexpose