I was surprised to discover that Cloudways reuses the same SSH host key when provisioning Vultr, Linode, AWS, and GCP servers. Apparently SSH host key reuse isn’t a new problem and some fingerprints have been seen on as many as 250,000 devices.
I currently have two Vultr servers on Cloudways:
Vultr Server 1:
- Created 3/9/17
- SSH fingerprint: 58:f5:63:01:8b:02:e6:ac:84:a7:18:db:47:19:ec:0b
- According to Shodan, 2535 servers have that fingerprint.
Vultr Server 2:
- Created 9/4/19
- SSH fingerprint: 29:0c:48:39:88:bd:94:36:bb:dd:1d:db:29:01:55:45
- According to Shodan, 2820 servers have that fingerprint.
How do I get the server SSH fingerprint?
The easiest way is the run this at a command prompt (replacing hostname with the domain or IP address of the server):
ssh-keygen -E md5 -lf <( ssh-keyscan hostname 2>/dev/null )
Can I reproduce this on Vultr servers through Cloudways?
I created one in Dallas and was assigned the IP 184.108.40.206 and got the fingerprint b7:73:78:ac:f4:9f:01:ad:b5:7e:e2:e6:a5:93:1c:a2. I created a second one in Dallas and was assigned the IP 220.127.116.11 with the same fingerprint of b7:73:78:ac:f4:9f:01:ad:b5:7e:e2:e6:a5:93:1c:a2.
What about Linode on Cloudways?
I created a Linode server in Dallas and was assigned the IP 18.104.22.168 with the fingerprint 55:95:ea:0d:aa:37:0a:96:c6:ee:12:4f:50:9e:ab:9a. The second server in Dallas got the IP 22.214.171.124 and the same fingerprint of 55:95:ea:0d:aa:37:0a:96:c6:ee:12:4f:50:9e:ab:9a.
What about Amazon Web Services on Cloudways?
I created two servers and got the same fingerprint. It’s in use on 70 servers.
- Location: Virginia, IP: 126.96.36.199, Fingerprint: da:ca:e9:fb:10:0b:61:19:5b:23:ca:39:36:60:ff:af
- Location Virginia, IP: 188.8.131.52, Fingerprint: da:ca:e9:fb:10:0b:61:19:5b:23:ca:39:36:60:ff:af
What about Google Cloud Platform on Cloudways?
I created two servers and also got the same fingerprint. It’s in use on 47 servers.
Location: Iowa, IP: 184.108.40.206, Fingerprint: b2:d0:23:6d:90:50:27:e6:92:53:b6:98:0f:18:52:f8
Location: Iowa, IP: 220.127.116.11, Fingerprint: b2:d0:23:6d:90:50:27:e6:92:53:b6:98:0f:18:52:f8
What about Digital Ocean on Cloudways?
All three of the Digital Ocean servers I created had unique fingerprints and didn’t show up on Shodan:
- Location: New York, IP: 18.104.22.168, Fingerprint: d1:76:7d:b0:2d:fc:9e:bb:f3:40:f7:53:b7:87:fe:ca
- Location: San Francisco, IP: 22.214.171.124, Fingerprint: e8:3f:72:17:e3:ba:02:e6:e7:10:a9:4a:3d:d0:83:24
- Location: San Francisco, IP: 126.96.36.199, Fingerprint: 2b:5d:55:7c:36:e7:04:86:17:66:ad:40:77:7e:cd:36
How bad is this?
It doesn’t appear this directly compromises my servers. However, it does allow an attacker to impersonate my server. They could achieve this by either stealing the private key off of another compromised Cloudways server or by provisioning a new Cloudways server and then finding a way to redirect SSH traffic to the impersonated server. Reusing an SSH key across multiple servers might make sense if all of them belonged to me. (It’s probably what Github and Bitbucket do so that their customers can use Git over SSH.) However, since these Cloudways servers are assigned to many customers, it’s a risk, and it’s definitely not good.
TL;DR: There’s a possibility of an impersonation/MitM attack but intercepting and successfully reading the encrypted SSH traffic shouldn’t be possible.
It also makes it easy to identify a large list of servers provisioned by Cloudways. If someone found a vulnerability on a Cloudways server, this would make it easy to target the vulnerable servers.
Is Cloudways going to fix this?
I reported this via live chat on October 3, 2019 and then to their privacy email address on October 3, 2019, and heard back on October 9, 2019. They don’t seem to consider this a major issue, but they did say they are working on fixing it.