vendor:
Power Xpert Meter
by:
BrianWGray
CVSS
HIGH
SSH Private Key Exposure
N/A
CWE
Product Name: Power Xpert Meter
Affected Version From: Firmware 12.x.x.x and below version 13.3.x.x and below
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Firmware 12.1.9.1 and 13.3.2.10
2018
Eaton Xpert Meter 13.4.0.10 – SSH Private Key Disclosure
Eaton Power Xpert Meters are used across industries for energy management, monitoring circuit loading, and identifying power quality problems. Meters running firmware 12.x.x.x or below version 13.3.x.x and below ship with a public/private key pair on Power Xpert Meter hardware that allows passwordless authentication to any other affected Power Xpert Meter. The vendor recommends updating to Version 13.4.0.10 or above. As the key is easily retrievable, an attacker can use it to gain unauthorized remote access as uid0.
Mitigation:
Update to Version 13.4.0.10 or above
