On Tuesday the CERT Coordination Center at Carnegie Mellon University disclosed a vulnerability that affects the 21.2 and earlier versions of SMA Technologies’ OpCon UNIX agent. The vulnerability is identified as CVE-2022-2154. During the installation and subsequent updates of all affected versions of the agent, an SSH key that is the same across every installation of the agent globally is added to the root account’s authorized_keys file; this key is not removed on uninstall.
The key can be clearly identified as sma_id_rsa, and if an attacker has the private key (which is included with the agent installation files), they could gain root-level SSH access to systems with the agent installed. SMA has created a script for checking for the vulnerable key and removing it (which must be run as root), or administrators can manually remove the vulnerability themselves. SMA also reports that the latest version of 21.2 does not include the vulnerable key, so fresh installs with the updated 21.2 package should not be affected.