Vera - Smarter Home Control Forum

Advanced => Security => Topic started by: knewmania on January 29, 2016, 03:51:29 pm

Title: DropBear Vulnerability
Post by: knewmania on January 29, 2016, 03:51:29 pm
After running a Nessus scan on my home network, the scanner indicates that the DropBear SSH versions running on my Vera units are vulnerable. The vulnerability is outlined under CVE-2012-0920 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0920). These vulnerabilities are resolved in newer version of DropBear SSH (2012.55 or later).

Vera 3 Firmware: 1.7.760
DropBear SSH version: 0.53.1

Vera 2 Firmware: 1.5.622
DropBear SSH version: 0.52

Not sure if there is a roadmap to incorporate new versions of DropBear in future firmware, but maybe there should be. I would submit a bug report, but it doesn't seem that bugs.micasaverde.com is getting much attention.
Title: Re: DropBear Vulnerability
Post by: RichardTSchaefer on January 29, 2016, 04:29:52 pm
Should not be much of an issue since Vera is usually protected by the firewall in your router.

If you are letting ports open in your router to access Vera than there are more problems than just DropBear to worry about.
Title: Re: DropBear Vulnerability
Post by: knewmania on January 29, 2016, 05:03:18 pm
Should not be much of an issue since Vera is usually protected by the firewall in your router.

If you are letting ports open in your router to access Vera than there are more problems than just DropBear to worry about.

I don't disagree that under most Vera scenarios, the vulnerability is lower than is outlined in the CVE. I do think this is something that should be addressed though. I submitted a ticket. I will follow up on what their response is.
Title: Re: DropBear Vulnerability
Post by: mcalistair on January 30, 2016, 04:58:22 am
They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.
But as mentioned by RTS if you have an open FireWall, well then you more issues to worry about  ;D
Title: Re: DropBear Vulnerability
Post by: logread on January 30, 2016, 01:21:28 pm
Quote
They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.

Could not agree more... On my Veralite the OpenWRT under the hood of firmware 1.7.760 is still version 10.03.1 (backfire) that is more than three years old and 3 major revisions behind !!!
I think (though I do not own one so it would be good for somebody who does to confirm) that Vera has upgraded a few times OpenWRT for the Vera Edge... Why not VeraLite (and I suspect Vera 3 as well) ?

Title: Re: DropBear Vulnerability
Post by: knewmania on February 04, 2016, 06:58:34 pm
I submitted a ticket. I will follow up on what their response is.

I received an update on the ticket I submitted. Here is the response:

Quote
I have discussed with my colleagues from the sysadmin team and they assured me that they have in plan to upgrade the DropBear SSH version of the Vera controllers in the near future.

I responded asking for any information on targeted release information (date/version), but they responded that they do not have those details.
Title: Re: DropBear Vulnerability
Post by: bwillette on October 30, 2016, 09:37:59 pm
Any updates on this, the vulnerability is still in the latest firmware?
Title: DropBear Vulnerability
Post by: LindsiWains on November 14, 2016, 07:14:46 am
I never thought of that vulnerability, Thanks for your information and making our knowledge updated
Title: Re: DropBear Vulnerability
Post by: joltman on March 28, 2017, 12:54:56 am
This vulnerability still exists on Vera Edge as of the latest firmware.  I understand that firewall rules can restrict access to this vulnerability, but that's not a great excuse for not fixing it.  It just creates another attack vector that can be used in conjunction with another vulnerability to gain access.
Title: Re: DropBear Vulnerability
Post by: SDorsey on January 25, 2018, 05:13:47 am
Thanks for sharing the information.
Title: Re: DropBear Vulnerability
Post by: bwillette on February 17, 2018, 04:19:02 pm
2 years later and still no progress.  Disappointing to say the least.  I guess security isn't a priority, since this would likely be a very trivial update.
Title: Re: DropBear Vulnerability
Post by: WalkRightThruThatDoor on January 20, 2019, 10:30:09 am
Any updates? Has this been updated yet?
Title: Re: DropBear Vulnerability
Post by: rafale77 on January 21, 2019, 06:38:42 am
I am running a 2015 version of dropbear and have also compiled the latest version working on UI7 Vera Plus/ Vera Secure/Vera Edge (dates from 2017). Let me know if you want me to post it.
It requires you to run at least on openWRT Barrier Breaker which I believe all 3 of these models are running since their release.
Title: Re: DropBear Vulnerability
Post by: timmy on January 29, 2019, 11:16:01 am
Hi, I would like know how you did it please, thanks  :)


___________________________________________________________________________________
ShowBox (https://showbox.red/) Tutuapp (https://tutuapp.win/) Mobdro (https://mobdro.onl/)
Title: Re: DropBear Vulnerability
Post by: rafale77 on January 29, 2019, 08:24:58 pm
There are a couple of ways to do this: (only for vera plus/edge/secure)
1. If you want the latest compiled version publicly available, I have tested it on the vera plus:
       -SSH into your vera
       -edit your /etc/opkg.conf by running the following line:
Code: [Select]
echo "src/gz base http://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7688/packages/base" >> /etc/opkg.conf
       - then run the following 2 commands
Code: [Select]
opkg update
opkg upgrade dropbear dropbearconvert

2. If you want the latest released stable version, I have compiled it myself and is attached below. In this case you need to decompress the zip, SCP the 2 files onto the vera, ssh into the vera, in the folder where you copied these two files and run
Code: [Select]
opkg install *.ipk
Title: Re: DropBear Vulnerability
Post by: Catman on January 30, 2019, 04:13:36 am
Just skimming this. Is there a 'd' missing?

opkg upgrade ropbear dropbearconvert

C
Title: Re: DropBear Vulnerability
Post by: rafale77 on January 30, 2019, 08:33:02 am
indeed... thanks for noticing the typo
Title: DropBear Vulnerability
Post by: Timothybaddy on February 10, 2019, 09:28:55 am
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance
Title: Re: DropBear Vulnerability
Post by: Catman on February 10, 2019, 10:05:39 am
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance

I'll help if I can. But I don't quite understand what you're asking / trying to do?

C