Vulnerability Description
Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins (to uid 0) via the PubkeyAuthentication option.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eaton | Power Xpert Meter 4000 Firmware | < 13.4.0.10 |
| Eaton | Power Xpert Meter 4000 | - |
| Eaton | Power Xpert Meter 6000 Firmware | < 13.4.0.10 |
| Eaton | Power Xpert Meter 6000 | - |
| Eaton | Power Xpert Meter 8000 Firmware | < 13.4.0.10 |
| Eaton | Power Xpert Meter 8000 | - |
Related Weaknesses (CWE)
References
- http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/securVendor Advisory
- https://www.ctrlu.net/vuln/0006.htmlExploitThird Party Advisory
- https://github.com/BrianWGray/msf/blob/master/exploits/linux/ssh/eaton_known_priExploitThird Party Advisory
- http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/securVendor Advisory
- https://www.ctrlu.net/vuln/0006.htmlExploitThird Party Advisory
FAQ
What is CVE-2018-16158?
CVE-2018-16158 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which mak...
How severe is CVE-2018-16158?
CVE-2018-16158 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-16158?
Check the references section above for vendor advisories and patch information. Affected products include: Eaton Power Xpert Meter 4000 Firmware, Eaton Power Xpert Meter 4000, Eaton Power Xpert Meter 6000 Firmware, Eaton Power Xpert Meter 6000, Eaton Power Xpert Meter 8000 Firmware.