Cisco has released a patch for three of its virtual appliances after it was discovered they contain default, authorised SSH keys that could allow an attacker virtually complete access to compromised systems.
The vulnerability affects all of Cisco’s Web Security Virtual Appliances (WSAv), Email Security Virtual Appliances (ESAv), and Content Security Management Virtual Appliances (SMav), and was found by Cisco during internal tests.
Two specific threats are mentioned by a Cisco advisory. The first allows an unauthenticated, remote attacker to connect to an affected system with root user privileges if they obtain the SSH key, while the second could permit a malicious user to decrypt and intercept secure communications via a man-in-the middle attack.
“The patch will delete all the preinstalled SSH keys on the appliance,” it said. “After the key deletion, the patch will also provide customers with additional steps to take for a complete fix.”
Security experts have welcomed Cisco’s actions but are concerned about the potential scale of the vulnerability.
“To truly understand the scope of impact for this vulnerability, we’d have to know the number of these devices actually deployed,” said Tim Erlin, Director of Security and Product Management at Tripwire. “It’s great that there’s an update to address the issue, but customers must actually apply it to be protected. There’s often a lag between update availability and effective deployment, creating a window of risk.
“Because this affects virtual images, it’s entirely possible that some may lay dormant through the initial update cycle, then introduce the vulnerability at a later date when started.”
Most people in the United States view TikTok as a Chinese influence tool a poll…
UK regulator confirms it is investigating whether OnlyFans is doing enough to prevent children accessing…
Dismissed staff file complaint with a US labor board, and allege Google unlawfully terminated their…
Elon Musk dismisses two senior Tesla executives, plus the entire division that runs Tesla's Supercharger…
Eight newspaper publishers in the US allege Microsoft and OpenAI used their millions of their…
US judge sentences Binance founder, Changpeng Zhao, to four months in prison for ignoring money…