"SMA Technologies Patches Critical Security Issue in Workload Automation Solution"
Security researchers at the CERT Coordination Center (CERT/CC) at Carnegie Mellon University have discovered a critical vulnerability in the SMA Technologies OpCon UNIX agent resulting in the same SSH key being deployed with all installations. OpCON is aimed at financial institutions and insurance firms and is a cross-platform process automation and orchestration solution that can be used for the management of workloads across business-critical operations. Tracked as CVE-2022-2154, the issue results in the same SSH key being delivered on every installation and subsequent updates. The researchers stated that the SSH public key is added to the root account's authorized_keys file during the agent's installation, and the entry remains there even after the OpCon software has been removed. The researchers noted that the installation files also include a corresponding, unencrypted private key named "sma_id_rsa." An attacker with access to the private key included with the OpCon UNIX agent installation files can gain SSH access as root on affected systems. The researchers stated that the bug impacts version 21.2 and earlier of the OpCon UNIX agent. SMA Technologies, which was informed of the security issue in March, told the researchers that it has already updated the version 21.2 package to remove the vulnerability.