DropBear Vulnerability

[knewmania]

After running a Nessus scan on my home network, the scanner indicates that the DropBear SSH versions running on my Vera units are vulnerable. The vulnerability is outlined under CVE-2012-0920 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0920). These vulnerabilities are resolved in newer version of DropBear SSH (2012.55 or later).

Vera 3 Firmware: 1.7.760
DropBear SSH version: 0.53.1

Vera 2 Firmware: 1.5.622
DropBear SSH version: 0.52

Not sure if there is a roadmap to incorporate new versions of DropBear in future firmware, but maybe there should be. I would submit a bug report, but it doesn't seem that bugs.micasaverde.com is getting much attention.

[RichardTSchaefer]

Should not be much of an issue since Vera is usually protected by the firewall in your router.

If you are letting ports open in your router to access Vera than there are more problems than just DropBear to worry about.

[knewmania]

Should not be much of an issue since Vera is usually protected by the firewall in your router.

If you are letting ports open in your router to access Vera than there are more problems than just DropBear to worry about.

I don't disagree that under most Vera scenarios, the vulnerability is lower than is outlined in the CVE. I do think this is something that should be addressed though. I submitted a ticket. I will follow up on what their response is.

[mcalistair]

They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.
But as mentioned by RTS if you have an open FireWall, well then you more issues to worry about 

[logread]

They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.

Could not agree more... On my Veralite the OpenWRT under the hood of firmware 1.7.760 is still version 10.03.1 (backfire) that is more than three years old and 3 major revisions behind !!!
I think (though I do not own one so it would be good for somebody who does to confirm) that Vera has upgraded a few times OpenWRT for the Vera Edge... Why not VeraLite (and I suspect Vera 3 as well) ?

[knewmania]

I submitted a ticket. I will follow up on what their response is.

I received an update on the ticket I submitted. Here is the response:

I have discussed with my colleagues from the sysadmin team and they assured me that they have in plan to upgrade the DropBear SSH version of the Vera controllers in the near future.

I responded asking for any information on targeted release information (date/version), but they responded that they do not have those details.

[bwillette]

Any updates on this, the vulnerability is still in the latest firmware?

[LindsiWains]

I never thought of that vulnerability, Thanks for your information and making our knowledge updated

[joltman]

This vulnerability still exists on Vera Edge as of the latest firmware.  I understand that firewall rules can restrict access to this vulnerability, but that's not a great excuse for not fixing it.  It just creates another attack vector that can be used in conjunction with another vulnerability to gain access.

[SDorsey]

Thanks for sharing the information.

[bwillette]

2 years later and still no progress.  Disappointing to say the least.  I guess security isn't a priority, since this would likely be a very trivial update.