CVE-2017-5242 - Vulnerability Details - OpenCVE

Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00183.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Rapid7	Insightvm

Configuration 1 [-]

cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2017-14347	Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242/

History

Tue, 08 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2023-01-12T00:00:00.000Z

Updated: 2025-04-08T14:20:43.692Z

Reserved: 2017-01-09T00:00:00.000Z

Link: CVE-2017-5242

Vulnrichment

Updated: 2024-08-05T14:55:35.797Z

NVD

Status : Modified

Published: 2023-01-12T22:15:09.263

Modified: 2025-04-08T15:15:45.170

Link: CVE-2017-5242

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2017-5242", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "dateUpdated": "2025-04-08T14:20:43.692Z", "dateReserved": "2017-01-09T00:00:00.000Z", "datePublished": "2023-01-12T00:00:00.000Z"}, "containers": {"cna": {"title": "Rapid7 Nexpose Virtual Appliance Duplicate SSH Host Key", "datePublic": "2017-08-19T00:00:00.000Z", "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2023-01-12T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots."}], "affected": [{"vendor": "Rapid7", "product": "Nexpose Virtual Appliance", "versions": [{"version": "2017.04.05", "status": "affected", "lessThan": "2017.04.05*", "versionType": "custom"}, {"version": "2017.05.03", "status": "affected", "lessThanOrEqual": "2017.05.03", "versionType": "custom"}]}, {"vendor": "Rapid7", "product": "InsightVM Virtual Appliance", "versions": [{"version": "2017.04.05", "status": "affected", "lessThan": "2017.04.05*", "versionType": "custom"}, {"version": "2017.05.03", "status": "affected", "lessThanOrEqual": "2017.05.03", "versionType": "custom"}]}], "references": [{"url": "https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "cweId": "CWE-321"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "INTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:55:35.797Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242/", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T14:18:56.959442Z", "id": "CVE-2017-5242", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T14:20:43.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:55:35.797Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2017-5242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-08T14:18:56.959442Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T14:20:38.239Z"}}], "cna": {"title": "Rapid7 Nexpose Virtual Appliance Duplicate SSH Host Key", "source": {"discovery": "INTERNAL"}, "affected": [{"vendor": "Rapid7", "product": "Nexpose Virtual Appliance", "versions": [{"status": "affected", "version": "2017.04.05", "lessThan": "2017.04.05*", "versionType": "custom"}, {"status": "affected", "version": "2017.05.03", "versionType": "custom", "lessThanOrEqual": "2017.05.03"}]}, {"vendor": "Rapid7", "product": "InsightVM Virtual Appliance", "versions": [{"status": "affected", "version": "2017.04.05", "lessThan": "2017.04.05*", "versionType": "custom"}, {"status": "affected", "version": "2017.05.03", "versionType": "custom", "lessThanOrEqual": "2017.05.03"}]}], "datePublic": "2017-08-19T00:00:00.000Z", "references": [{"url": "https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242/"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2023-01-12T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2017-5242", "state": "PUBLISHED", "dateUpdated": "2025-04-08T14:20:43.692Z", "dateReserved": "2017-01-09T00:00:00.000Z", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "datePublished": "2023-01-12T00:00:00.000Z", "assignerShortName": "rapid7"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DEA2123-D427-48C4-90B1-47B996A255C2", "versionEndIncluding": "2017-05-03", "versionStartIncluding": "2017-04-05", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots."}, {"lang": "es", "value": "Los dispositivos virtuales Nexpose e InsightVM descargados entre el 5 de abril de 2017 y el 3 de mayo de 2017 contienen claves de host SSH id\u00e9nticas. Normalmente, se debe generar una clave de host SSH \u00fanica la primera vez que se inicia un dispositivo virtual."}], "id": "CVE-2017-5242", "lastModified": "2025-04-08T15:15:45.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-12T22:15:09.263", "references": [{"source": "cve@rapid7.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-330"}], "source": "nvd@nist.gov", "type": "Primary"}]}