Vulnerabilites related to Tropos - Mesh OS
CVE-2012-4898 (GCVE-0-2012-4898)
Vulnerability from cvelistv5
Published
2012-12-18 11:00
Modified
2025-07-09 16:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE 331
Summary
Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:50:18.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-01.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mesh OS",
"vendor": "Tropos",
"versions": [
{
"lessThan": "7.9.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "research group composed of Nadia Heninger (University of California at San Diego), Zakir Durumeric (University of Michigan), Eric Wustrow (University of Michigan), and J. Alex Halderman (University of Michigan)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.\u003c/p\u003e"
}
],
"value": "Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:P/A:N",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 331",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T16:22:48.905Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-12-297-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Tropos Networks has released customer notification and an update (Tropos\n Mesh OS 7.9.1.1) for its network device embedded software. This update \ncan be downloaded from the Tropos software download page. Download of \nthe update requires a valid user name and password. The updated firmware\n fixes the vulnerability by using sufficient entropy to generate unique \nSSH host keys.\n\n\u003cbr\u003e"
}
],
"value": "Tropos Networks has released customer notification and an update (Tropos\n Mesh OS 7.9.1.1) for its network device embedded software. This update \ncan be downloaded from the Tropos software download page. Download of \nthe update requires a valid user name and password. The updated firmware\n fixes the vulnerability by using sufficient entropy to generate unique \nSSH host keys."
}
],
"source": {
"advisory": "ICSA-12-297-01",
"discovery": "EXTERNAL"
},
"title": "Tropos Wireless Mesh Routers Insufficient Entropy",
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-4898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-01.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-01.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-4898",
"datePublished": "2012-12-18T11:00:00Z",
"dateReserved": "2012-09-12T00:00:00Z",
"dateUpdated": "2025-07-09T16:22:48.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}