Mitigation for mGuard Vulnerability

Friday, June 22, 2012 @ 12:06 PM gHale


By updating to software version 7.5.0 or later and regenerating updated keys, it will mitigate the insufficient entropy vulnerability in the mGuard network appliance product line.

The updated software properly uses existing entropy before generating HTTPS and SSH keys. In addition, it increases the size of the RSA keys from 1024 to 2048 bit. Click here to learn how to update to version 7.5.0.

RELATED STORIES
Vulnerabilities in mGuard Line
Siemens Updates WinCC Holes
Fix Available for DeltaV Holes
RuggedCom Fixes Vulnerability

Innominate and it parent company, Phoenix Contact, recommend updating the keys on the affected products.

Updating can occur by any of the following measures:
1) Use the update mechanism to update the devices to version 7.5.0 or later.
1.1) Install the update, existing keys will be kept.
1.2) After the update the user must replace the existing keys using one of the following methods:
(Please note, the process will take up to a minute to complete, no reboot necessary)

a) Web UI
– Login as root or admin
– Click the “Generate new 2048 bit keys” button either in the “Web Settings ->Access” or in the “System Settings -> Shell Access” menu
– Note the fingerprint output of the newly generated keys.
– Login via HTTPS and compare the certificate information provided by the browser.

b) Console
– Login via serial console or SSH as user root or admin
– Execute the program “$ rsa_renewal update”
– Note the fingerprint output of the newly generated keys.
– Login via SSH and compare the fingerprints shown by SSH

2) Upload and execute a shell script via SSH as root, provided by Phoenix Contact.

The script will generate new 2048 bit keys without requiring an update to software version 7.5.0 or later. All software versions starting with 5.0.0 are supported.

The script is under the article number and downloaded at http://www.phoenixcontact.com.

– Use scp to copy the script onto the FL MGUARD like $ scp generate_2048key.sh root@192.168.1.1:/root/
– Login via SSH as root
– Execute the script as shown: $ sh /root/generate_2048key.sh
– Note the fingerprint output of the newly generated keys.
– Login via SSH and compare the fingerprints shown by SSH

Phoenix Contact recommends changing the administrative passwords of affected FL MGUARD devices.



Leave a Reply

You must be logged in to post a comment.