CVE-2017-5242

Summary

Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.

Affected Software

VendorProductVersion RangeStatus
Rapid7Nexpose Virtual Appliance2017.04.05 < 2017.04.05*affected
Rapid7Nexpose Virtual Appliance2017.05.03 <= 2017.05.03affected
Rapid7InsightVM Virtual Appliance2017.04.05 < 2017.04.05*affected
Rapid7InsightVM Virtual Appliance2017.05.03 <= 2017.05.03affected

Weaknesses

  • CWE-321: CWE-321 Use of Hard-coded Cryptographic Key

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References