A potential SSH vulnerability has been identified in a number of OnApp templates. There is no known immediate risk to OnApp customers, or to end users running servers in OnApp clouds. Nonetheless, we advise all OnApp customers to check whether the issue applies to them, and if so, to address it on virtual servers directly, or advise their clients to do so.
The issue is described here: http://seclists.org/fulldisclosure/2014/May/42
In brief, each time a Virtual Server was deployed using an affected template, RSA and DSA keys were being regenerated, but ECDSA keys were not. The following OnApp templates were confirmed affected by this issue, and have already been updated:
ECDSA is Elliptic Curve cryptography, a newer form of DSA public/private key authentication which requires a new type of key pair from the standard DSA key pair. The vulnerability relates to the "host" SSH keys, not the "end user" keys. When you connect to an ssh endpoint, there is an initial host key signature check. If you connect to an IP address and the host key signature changes, you get a warning to notify you that you may be vulnerable to a "man in the middle" attack.
Theoretically, if someone can use the same host key *and* spoof the same IP address, they could successfully bypass this check and force the end user to authenticate with their password, creating a successful attack vector. However, successful IP address spoofing in this scenario is far from trivial, and is anyway explicitly blocked on OnApp clouds by default.
There is no known immediate risk to OnApp customers, or to end users running servers in OnApp clouds. Nevertheless, we recommend that all customers identify whether they are affected by this issue, and if so address it as soon as possible.
First, we recommend that you regenerate ECDSA keys on all servers using templates affected by this issue. Instructions follow:
1) Log in to your OnApp Control Panel
2) Click Templates, and then Templates List
3) Select the affected templates in the list to view all Virtual Servers running on that template
4) Log into each Virtual Server via SSH, and re-generate ECDSA host keys:
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key
5) Remove host fingerprints:
ssh-keygen -R remote-server
We have created a Recipe to automate steps 4) and 5) above. You'll find it at the OnApp Recipe forum, here: https://forum.onapp.com/index.php?threads/regenerate-ecdsa-host-key.485/
Second, we also recommend that you update the affected templates. Follow the instructions for your version of OnApp:
OnApp 3.1 or later
1) Install/update the CLI template manager:
yum update onapp-template-install
2) Run the template manager:
3) Choose Update at the prompt, which will take you to a screen where you can review and update all outdated templates.
4) Add all updated templates to your templates store via the OnApp UI, and remove the old versions.
Versions prior to OnApp 3.1
If you need help adding new versions of affected templates, please raise a ticket with OnApp Support.