CVE-2017-5242 in Nexpose
Summary
by MITRE • 01/13/2023
Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2025
The vulnerability identified as CVE-2017-5242 affects Rapid7's Nexpose and InsightVM virtual appliances that were distributed during a specific timeframe between April 5th and May 3rd 2017. This issue represents a critical weakness in the appliances' initial security configuration where identical SSH host keys were embedded within the virtual machine images rather than generating unique keys during the first boot process. The flaw directly undermines the fundamental security principle of host key uniqueness that is essential for establishing trust in SSH communications and prevents proper host authentication. This vulnerability falls under the CWE-310 category of Cryptographic Issues, specifically addressing the improper generation of cryptographic keys within security-sensitive applications.
The technical implementation of this vulnerability stems from the virtual appliance distribution process where pre-generated SSH host keys were hardcoded into the virtual machine images. When these appliances boot for the first time, they should generate unique host keys to establish their identity within the SSH protocol framework. However, due to the flawed distribution, all affected appliances within this timeframe share identical host keys, creating a scenario where an attacker who compromises one appliance could potentially impersonate other appliances within the same network segment. This weakness enables man-in-the-middle attacks and undermines the integrity of SSH communications across multiple systems. The vulnerability operates at the network protocol level and specifically targets the SSH key exchange mechanism, making it particularly dangerous in enterprise environments where these appliances are commonly deployed for security scanning and vulnerability assessment.
The operational impact of CVE-2017-5242 extends beyond simple authentication concerns to encompass broader security posture implications for organizations using affected Nexpose and InsightVM appliances. Security teams face the challenge of identifying all affected systems within their networks and implementing remediation measures that may include generating new host keys, updating SSH configurations, and potentially reissuing certificates. The vulnerability also affects the trust model of SSH connections, as administrators cannot rely on host key verification to confirm appliance authenticity, potentially leading to false security assessments and increased attack surface. Organizations that have not yet patched their systems remain vulnerable to credential theft, unauthorized access, and potential lateral movement within their networks. This issue directly relates to ATT&CK technique T1566 which involves credential harvesting through social engineering and network reconnaissance, as compromised appliances can serve as entry points for attackers seeking to escalate privileges or gain access to other network resources.
The mitigation strategy for this vulnerability requires immediate action from system administrators to ensure that all affected appliances are updated with unique SSH host keys. Organizations should verify their appliance versions and apply the appropriate patches released by Rapid7 to regenerate the host keys during system boot. Network security teams must also implement monitoring for SSH connection attempts and host key changes to detect potential exploitation attempts. The remediation process involves booting each appliance and allowing the system to generate new host keys, followed by updating any SSH client configurations that may have cached the old keys. This vulnerability highlights the importance of proper security hardening practices during virtual appliance distribution and emphasizes the need for organizations to maintain updated security configurations to prevent similar issues in the future. The incident serves as a reminder of the critical importance of unique cryptographic key generation in maintaining network security integrity and preventing unauthorized access through compromised authentication mechanisms.