CVE-2019-19752
📋 TL;DR
This vulnerability allows attackers to perform man-in-the-middle attacks against SSH connections to nvOC mining rigs and easily identify all vulnerable systems using public scanning tools. It affects all nvOC installations through version 3.2 that use the default installation image with baked-in SSH host keys.
💻 Affected Systems
- nvOC (NVIDIA Open Cryptocurrency Mining Rig Operating System)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of mining rigs via SSH man-in-the-middle attacks leading to cryptocurrency theft, malware installation, or botnet recruitment.
Likely Case
Unauthorized SSH access to mining rigs, configuration changes, or monitoring of mining operations.
If Mitigated
Limited to network reconnaissance and identification of vulnerable systems without successful exploitation.
🎯 Exploit Status
Exploitation requires network position for man-in-the-middle or ability to intercept SSH traffic. Public scanning tools like Shodan.io can identify all vulnerable systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.2 (vendor indicated plans to fix in next image build as of 2019-12-01)
Vendor Advisory: https://github.com/papampi/nvOC_by_fullzero_Community_Release/commits/release
Restart Required: Yes
Instructions:
1. Update to latest nvOC version after 3.2. 2. Regenerate SSH host keys on all systems. 3. Restart SSH service. 4. Update known_hosts files on all client systems.
🔧 Temporary Workarounds
Regenerate SSH Host Keys
linuxManually regenerate unique SSH host keys for each system
sudo rm /etc/ssh/ssh_host_*
sudo dpkg-reconfigure openssh-server
sudo systemctl restart ssh
Disable SSH or Restrict Access
linuxDisable SSH service or restrict to internal networks only
sudo systemctl disable ssh
sudo systemctl stop ssh
🧯 If You Can't Patch
- Implement network segmentation to isolate mining rigs from untrusted networks
- Use VPN or SSH bastion hosts with certificate-based authentication for remote access
🔍 How to Verify
Check if Vulnerable:
Check if SSH host key fingerprint matches known vulnerable keys: ssh-keyscan -t rsa,dsa,ecdsa,ed25519 <host> | ssh-keygen -lf -Check Version:
Check nvOC version in system documentation or /etc/os-releaseVerify Fix Applied:
Verify SSH host keys are unique by comparing fingerprints across multiple systems📡 Detection & Monitoring
Log Indicators:
- Multiple failed SSH authentication attempts
- SSH connections from unexpected sources
- Changes to SSH configuration files
Network Indicators:
- SSH traffic to/from mining rigs on non-standard ports
- Shodan.io scans targeting SSH services
SIEM Query:
source="ssh" AND (event="Failed password" OR event="Accepted password") AND dest_ip IN [mining_rig_ips]🔗 References
- https://github.com/papampi/nvOC_by_fullzero_Community_Release/commits/release
- https://rsaxvc.net/blog/2020/4/10/Widespread_re-use_of_SSH_Host_Keys_in_Ethereum_Mining_Rig_Operating_Systems.html
- https://github.com/papampi/nvOC_by_fullzero_Community_Release/commits/release
- https://rsaxvc.net/blog/2020/4/10/Widespread_re-use_of_SSH_Host_Keys_in_Ethereum_Mining_Rig_Operating_Systems.html
