Cisco finds, removes more default SSH keys on its software

Cisco has pushed out security updates to address two vulnerabilities in its Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Content Security Management Virtual Appliance (SMAv) software.

The first one exists because a default authorized SSH key is shared across all the installations of those three appliances, and can be exploited by unauthenticated, remote attackers to connect to those appliances and gain root access, i.e. complete control of them.

“IP address connectivity to the management interface on the affected platform is the only requirement for the products to be exposed to this vulnerability. No additional configuration is required for this vulnerability to be exploited,” Cisco explained in the security advisory published on Thursday.

The second is due to the default SSH host keys that are shared across all the installations of the three virtual appliances, and can be exploited by unauthenticated, remote attackers to decrypt and impersonate secure communication between any of them – effectively, to mount a Man-in-the-Middle attack.

There are no workarounds for these vulnerabilities, so the only thing left for customers to do is to implement the updates.

“This patch is required for all virtual appliance releases for email security, web security, and content security management that were downloaded or upgraded before June 25, 2015,” Cisco noted, adding that physical hardware appliances are not affected by the flaws.

According to the advisory, the vulnerabilities were discovered “during internal tests and product security reviews”, and there is no indication that they are being exploited in the wild.

“Searching for ‘default credentials’ on Cisco’s advisory web site shows that for the past several years, the presence of backdoor and default users continues to be a recurring issue,” SANS ISC incident handler Daniel Wesemann commented.

“To Cisco’s credit, they seem to have found today’s SSH key problem on their own, before it was abused, so maybe this is a sign of better times to come, and evidence that after all these years, someone at Cisco has actually started to systematically audit their entire code base for the presence of default credentials. Or maybe it just was a lucky find, and the ‘stellar’ 10 year track record of default credential security bulletins will continue for another decade? Time will tell…”

Share this