CVE-2019-19750
📋 TL;DR
CVE-2019-19750 is a critical vulnerability in minerstat msOS where all instances share the same SSH host keys, allowing attackers to perform man-in-the-middle attacks and impersonate legitimate mining rigs. This affects all users running minerstat msOS before the fixed version. Attackers can intercept SSH connections and potentially gain unauthorized access to mining operations.
💻 Affected Systems
- minerstat msOS
📦 What is this software?
Msos by Minerstat
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of mining operations through SSH man-in-the-middle attacks, allowing attackers to steal cryptocurrency, install malware, or disrupt mining operations entirely.
Likely Case
Attackers intercept SSH connections to mining rigs, potentially gaining unauthorized access to modify configurations, steal mining rewards, or install cryptocurrency-stealing malware.
If Mitigated
With proper network segmentation and SSH key rotation, impact is limited to potential connection interception without actual system compromise.
🎯 Exploit Status
Exploitation requires network access to intercept SSH connections. The vulnerability is well-documented with public proof-of-concept available in the referenced blog posts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions from 2019-10-23 onward
Vendor Advisory: https://github.com/minerstat/minerstat-os/commit/487ebd652dc9dc81120809effb2ddb3f66fc5f14
Restart Required: Yes
Instructions:
1. Update minerstat msOS to version 2019-10-23 or later. 2. Regenerate SSH host keys on all affected systems. 3. Restart SSH service. 4. Update known_hosts files on all connecting clients.
🔧 Temporary Workarounds
Manual SSH Key Regeneration
linuxManually regenerate unique SSH host keys for each mining rig instance
sudo rm /etc/ssh/ssh_host_*
sudo dpkg-reconfigure openssh-server
sudo systemctl restart ssh
Network Segmentation
allIsolate mining rigs from untrusted networks and implement VPN access only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate mining rigs from untrusted networks
- Use VPN with certificate-based authentication for all remote access instead of direct SSH
🔍 How to Verify
Check if Vulnerable:
Check if SSH host keys are identical across multiple minerstat msOS instances by comparing /etc/ssh/ssh_host_* key fingerprintsCheck Version:
cat /etc/msos-version || msos versionVerify Fix Applied:
Verify each system has unique SSH host key fingerprints and check version is 2019-10-23 or later📡 Detection & Monitoring
Log Indicators:
- Multiple SSH connection warnings about changed host keys
- Unexpected SSH host key mismatch warnings
Network Indicators:
- SSH traffic to mining rigs from unexpected sources
- Multiple systems presenting identical SSH host keys
SIEM Query:
source="ssh" AND ("WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" OR "Host key verification failed")🔗 References
- https://github.com/minerstat/minerstat-os/commit/487ebd652dc9dc81120809effb2ddb3f66fc5f14
- https://rsaxvc.net/blog/2020/4/10/Widespread_re-use_of_SSH_Host_Keys_in_Ethereum_Mining_Rig_Operating_Systems.html
- https://github.com/minerstat/minerstat-os/commit/487ebd652dc9dc81120809effb2ddb3f66fc5f14
- https://rsaxvc.net/blog/2020/4/10/Widespread_re-use_of_SSH_Host_Keys_in_Ethereum_Mining_Rig_Operating_Systems.html
