ExaGrid backdoor flaw

ExaGrid is telling users of its disk-based storage appliances to get new firmware, after Rapid7 turned up hard-coded credentials and SSH keys.

The disclosure, here, details a default root credential of "support:support" and SSH running with the root password "inflection" (CVE-2016-1560).

The units also shipped with keys that shouldn't be there: "Two keys are listed in the root user's .ssh/authorized_keys file: one labeled 'ExaGrid support key' and one 'exagrid-manufacturing-key-20070604.' A copy of the private key for the latter authorized key ships on the device in /usr/share/exagrid-keyring/ssh/manufacturing," the advisory states (CVE-2016-1561).

ExaGrid has fixed the credential bug in firmware version 4.8 P26.

Rapid7 has published a Metasploit module for the bugs. ®