CVE-2019-19755
📋 TL;DR
This vulnerability allows attackers to perform man-in-the-middle attacks on SSH connections to ethOS mining rigs and easily identify all public IPv4 nodes running vulnerable versions. It affects all ethOS installations through version 1.3.3 that use the default SSH configuration. The issue stems from hardcoded SSH host keys in the installation image.
💻 Affected Systems
- ethOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of mining rigs via SSH man-in-the-middle attacks leading to cryptocurrency theft, malware installation, or botnet recruitment.
Likely Case
Unauthorized SSH access to mining rigs, configuration changes, or monitoring of mining operations.
If Mitigated
Limited to identification of vulnerable systems via Shodan scanning without successful exploitation if SSH keys are regenerated.
🎯 Exploit Status
Exploitation requires network access and ability to intercept SSH traffic. Shodan scanning makes target identification trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.3.3
Vendor Advisory: http://ethosdistro.com/changelog/
Restart Required: No
Instructions:
1. Update ethOS to latest version. 2. Regenerate SSH host keys using 'ssh-keygen -A'. 3. Restart SSH service.
🔧 Temporary Workarounds
Regenerate SSH Host Keys
linuxGenerate unique SSH host keys for each system to prevent key reuse
sudo rm /etc/ssh/ssh_host_*
sudo ssh-keygen -A
sudo systemctl restart ssh
Disable SSH or Restrict Access
linuxDisable SSH service or restrict to trusted networks only
sudo systemctl disable ssh
sudo systemctl stop ssh
🧯 If You Can't Patch
- Regenerate SSH host keys on all systems immediately
- Implement network segmentation and firewall rules to restrict SSH access to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check if SSH host keys match known vulnerable fingerprints: 'ssh-keyscan localhost' and compare with known vulnerable keys from referencesCheck Version:
cat /etc/ethos-versionVerify Fix Applied:
Verify SSH host keys are unique: 'ssh-keyscan localhost' should show different keys than other systems📡 Detection & Monitoring
Log Indicators:
- Failed SSH login attempts from unexpected sources
- SSH host key warnings in client logs
Network Indicators:
- SSH traffic to mining rigs from unexpected sources
- Shodan scans targeting port 22
SIEM Query:
source="ssh" AND (event="Failed password" OR event="Invalid user") | stats count by src_ip