CVE-2012-4898 (GCVE-0-2012-4898)
Vulnerability from cvelistv5
Published
2012-12-18 11:00
Modified
2025-07-09 16:22
Severity ?
CWE
  • CWE 331
Summary
Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.
References
Impacted products
Vendor Product Version
Tropos Mesh OS Version: 0   < 7.9.1.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T20:50:18.119Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-01.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mesh OS",
          "vendor": "Tropos",
          "versions": [
            {
              "lessThan": "7.9.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "research group composed of Nadia Heninger (University of California at San Diego), Zakir Durumeric (University of Michigan), Eric Wustrow (University of Michigan), and J. Alex Halderman (University of Michigan)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.\u003c/p\u003e"
            }
          ],
          "value": "Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:P/A:N",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE 331",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-09T16:22:48.905Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-12-297-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Tropos Networks has released customer notification and an update (Tropos\n Mesh OS 7.9.1.1) for its network device embedded software. This update \ncan be downloaded from the Tropos software download page. Download of \nthe update requires a valid user name and password. The updated firmware\n fixes the vulnerability by using sufficient entropy to generate unique \nSSH host keys.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Tropos Networks has released customer notification and an update (Tropos\n Mesh OS 7.9.1.1) for its network device embedded software. This update \ncan be downloaded from the Tropos software download page. Download of \nthe update requires a valid user name and password. The updated firmware\n fixes the vulnerability by using sufficient entropy to generate unique \nSSH host keys."
        }
      ],
      "source": {
        "advisory": "ICSA-12-297-01",
        "discovery": "EXTERNAL"
      },
      "title": "Tropos Wireless Mesh Routers Insufficient Entropy",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2012-4898",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-01.pdf",
              "refsource": "MISC",
              "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-01.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2012-4898",
    "datePublished": "2012-12-18T11:00:00Z",
    "dateReserved": "2012-09-12T00:00:00Z",
    "dateUpdated": "2025-07-09T16:22:48.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2012-4898\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2012-12-18T12:30:05.920\",\"lastModified\":\"2025-07-09T17:15:29.767\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.\"},{\"lang\":\"es\",\"value\":\"Mesh OS antes de v7.9.1.1 en los routers Tropos inal\u00e1mbricos no utilizan una fuente suficiente de entrop\u00eda para claves SSH, lo que hace que sea m\u00e1s f\u00e1cil para atacantes man-in-the-middle falsificar un dispositivo o modificar un flujo de datos cliente-servidor mediante el aprovechamiento de conocimiento de una clave de una instalaci\u00f3n del producto en otros lugares.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:C/I:P/A:N\",\"baseScore\":6.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":7.8,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:C/I:P/A:N\",\"baseScore\":6.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":7.8,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:tropos:mesh_os:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.9.1\",\"matchCriteriaId\":\"3E8693B2-5D42-46A1-9994-42E5BADCAB75\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:1310_distrubution_automation_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7852E70-8D02-482E-95FB-2E0CA77E17B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:1410_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E27A596C-9AB4-47FB-8CC1-A442AE2B166B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:1410_wireless_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A03DF812-5697-4216-B34A-68F862258BB4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:3310_indoor_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB430981-1D88-4C92-BC7E-A6AFA1525A76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:3320_indoor_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B9E51A6-A559-4113-A7C6-EE3C7DF1B5EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:4310_mobile_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"668A0BBA-9F67-4E63-A2CE-7A114B42E58F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:6310_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E564CC3-C509-428D-AEB4-8F100ECFF0B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:tropos:6320_mesh_router:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FA11508-E41A-431A-9386-7D8A95C0D8D6\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-12-297-01\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-01.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.