[SECURITY] SSH host keys in Marketplace appliances

Based on the issue reported by @kvaps (big thanks!) we found out that few appliances distributed via OpenNebula Marketplace (http://marketplace.opennebula.org/) contain pre-generated SSH host keys. All VMs started from each affected appliance share the same base cryptographic secrets, are prone to various remote attacks and eavesdropping.

Affected KVM appliances:

  • Alpine 3.6, 3.7, 3.8
  • Debian 8, 9
  • Devuan 1, 2
  • alpine-vrouter

Affected vCenter appliances:

  • alpine-vrouter

If you have any of these appliances imported into your image datastores, please drop them and pull the latest ones from the OpenNebula Marketplace (version: 5.6.0-0.20181120 or *0.20181121).

Existing VMs running from the affected images don’t need to be terminated, but new SSH host keys should be generated. It can be done by running following commands inside your VMs:

  • Alpine:
rm -f /etc/ssh/ssh_host_*
service sshd restart
  • Debian / Devuan:
rm -f /etc/ssh/ssh_host_*
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure openssh-server

We are sorry for any inconveniences.

1 Like

@vholer,

Alpine Vrouter 5.0.2 also

Very true. I have updated the post above to include also vrouter apps. Thanks!!!

A hint that has become important, too (recently found something in a vagrant box)
check for find /var -name random-seed -ls
check the permissions and age of that file.

I had run into an image where that file existed, world readable and ages old.
Yes, it’s the RNG seed. Simply another thing we need to watch out for :slight_smile: