Due to a serious flaw in the SMA Technologies OpCon UNIX agent, the same SSH key is distributed with every installation. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University says in an alert that the problem, which is identified as CVE-2022-2154, causes the identical SSH key to be supplied on each installation and subsequent update.
During the installation of the agent, the SSH public key is added to the root account’s authorized keys file, and the entry is kept there even after the OpCon software is uninstalled. The OpCon UNIX agent versions 21.2 and earlier are affected by the problem. SMA Technologies told CERT/CC that it has already upgraded the version 21.2 package to close the vulnerability after being made aware of the security problem in March.
According to SMA, its removal tool searches the authorized keys file for the vulnerable SSH key and deletes it while notifying the user that it has done so.