Author Topic: DropBear Vulnerability  (Read 2278 times)

Offline knewmania

  • Sr. Member
  • ****
  • Posts: 255
  • Karma: +0/-0
DropBear Vulnerability
« on: January 29, 2016, 03:51:29 pm »
After running a Nessus scan on my home network, the scanner indicates that the DropBear SSH versions running on my Vera units are vulnerable. The vulnerability is outlined under CVE-2012-0920 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0920). These vulnerabilities are resolved in newer version of DropBear SSH (2012.55 or later).

Vera 3 Firmware: 1.7.760
DropBear SSH version: 0.53.1

Vera 2 Firmware: 1.5.622
DropBear SSH version: 0.52

Not sure if there is a roadmap to incorporate new versions of DropBear in future firmware, but maybe there should be. I would submit a bug report, but it doesn't seem that bugs.micasaverde.com is getting much attention.
Vera 2. UI 1.5.622 / Vera 3. UI 1.7.760

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 9495
  • Karma: +721/-133
    • RTS Services Plugins
Re: DropBear Vulnerability
« Reply #1 on: January 29, 2016, 04:29:52 pm »
Should not be much of an issue since Vera is usually protected by the firewall in your router.

If you are letting ports open in your router to access Vera than there are more problems than just DropBear to worry about.

Offline knewmania

  • Sr. Member
  • ****
  • Posts: 255
  • Karma: +0/-0
Re: DropBear Vulnerability
« Reply #2 on: January 29, 2016, 05:03:18 pm »
Should not be much of an issue since Vera is usually protected by the firewall in your router.

If you are letting ports open in your router to access Vera than there are more problems than just DropBear to worry about.

I don't disagree that under most Vera scenarios, the vulnerability is lower than is outlined in the CVE. I do think this is something that should be addressed though. I submitted a ticket. I will follow up on what their response is.
Vera 2. UI 1.5.622 / Vera 3. UI 1.7.760

Offline mcalistair

  • Full Member
  • ***
  • Posts: 178
  • Karma: +6/-3
  • "Luctor et Emergo"
Re: DropBear Vulnerability
« Reply #3 on: January 30, 2016, 04:58:22 am »
They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.
But as mentioned by RTS if you have an open FireWall, well then you more issues to worry about  ;D
1x Vera3@UI5 = PROD (1x Edge@UI7 = SandBox ), 15x ZWAVE Devices, 8x 'legacy' X10 devices controlled via Visonic PowerMax Alarm Panel Plugin, 5x Philips HUE devices, 1x iTach IP2CC, 1x Netatmo Weather Station, AltUI

Offline logread

  • Full Member
  • ***
  • Posts: 214
  • Karma: +7/-1
Re: DropBear Vulnerability
« Reply #4 on: January 30, 2016, 01:21:28 pm »
Quote
They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.

Could not agree more... On my Veralite the OpenWRT under the hood of firmware 1.7.760 is still version 10.03.1 (backfire) that is more than three years old and 3 major revisions behind !!!
I think (though I do not own one so it would be good for somebody who does to confirm) that Vera has upgraded a few times OpenWRT for the Vera Edge... Why not VeraLite (and I suspect Vera 3 as well) ?

Vera Lite UI7, Fibaro FGS-221, FGS-212, FGSS-001, FGK-101, FGWPE/F-101, FGMS-001, Aeon HEM G2, GreenWave PowerNode 6,  Everspring ST-814, SE-812, Swiid SwiidInter.
Raspberry Pi2 Raspbian w/ openLuup. AltUI, SV Thermostat, Virtual Switch, Weather (openWeather), System Monitor (openSysMon), HomeWave.

Offline knewmania

  • Sr. Member
  • ****
  • Posts: 255
  • Karma: +0/-0
Re: DropBear Vulnerability
« Reply #5 on: February 04, 2016, 06:58:34 pm »
I submitted a ticket. I will follow up on what their response is.

I received an update on the ticket I submitted. Here is the response:

Quote
I have discussed with my colleagues from the sysadmin team and they assured me that they have in plan to upgrade the DropBear SSH version of the Vera controllers in the near future.

I responded asking for any information on targeted release information (date/version), but they responded that they do not have those details.
Vera 2. UI 1.5.622 / Vera 3. UI 1.7.760

Offline bwillette

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
Re: DropBear Vulnerability
« Reply #6 on: October 30, 2016, 09:37:59 pm »
Any updates on this, the vulnerability is still in the latest firmware?

Offline LindsiWains

  • Jr. Member
  • **
  • Posts: 79
  • Karma: +0/-39
DropBear Vulnerability
« Reply #7 on: November 14, 2016, 07:14:46 am »
I never thought of that vulnerability, Thanks for your information and making our knowledge updated

Offline joltman

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Re: DropBear Vulnerability
« Reply #8 on: March 28, 2017, 12:54:56 am »
This vulnerability still exists on Vera Edge as of the latest firmware.  I understand that firewall rules can restrict access to this vulnerability, but that's not a great excuse for not fixing it.  It just creates another attack vector that can be used in conjunction with another vulnerability to gain access.