Cisco urges firms to download fix for flaw that could allow attackers to gain access to systems and intercept traffic
Cisco has released a patch for three of its virtual appliances after it was discovered they contain default, authorised SSH keys that could allow an attacker virtually complete access to compromised systems.
The vulnerability affects all of Cisco’s Web Security Virtual Appliances (WSAv), Email Security Virtual Appliances (ESAv), and Content Security Management Virtual Appliances (SMav), and was found by Cisco during internal tests.
Two specific threats are mentioned by a Cisco advisory. The first allows an unauthenticated, remote attacker to connect to an affected system with root user privileges if they obtain the SSH key, while the second could permit a malicious user to decrypt and intercept secure communications via a man-in-the middle attack.
The company says there are no workarounds and there have been no attacks spotted in the wild, but has urged customers to download the patch through the usual software update mechanism.
“The patch will delete all the preinstalled SSH keys on the appliance,” it said. “After the key deletion, the patch will also provide customers with additional steps to take for a complete fix.”
Security experts have welcomed Cisco’s actions but are concerned about the potential scale of the vulnerability.
“To truly understand the scope of impact for this vulnerability, we’d have to know the number of these devices actually deployed,” said Tim Erlin, Director of Security and Product Management at Tripwire. “It’s great that there’s an update to address the issue, but customers must actually apply it to be protected. There’s often a lag between update availability and effective deployment, creating a window of risk.
“Because this affects virtual images, it’s entirely possible that some may lay dormant through the initial update cycle, then introduce the vulnerability at a later date when started.”