Cisco has released a patch for three of its virtual appliances after it was discovered they contain default, authorised SSH keys that could allow an attacker virtually complete access to compromised systems.
The vulnerability affects all of Cisco’s Web Security Virtual Appliances (WSAv), Email Security Virtual Appliances (ESAv), and Content Security Management Virtual Appliances (SMav), and was found by Cisco during internal tests.
Two specific threats are mentioned by a Cisco advisory. The first allows an unauthenticated, remote attacker to connect to an affected system with root user privileges if they obtain the SSH key, while the second could permit a malicious user to decrypt and intercept secure communications via a man-in-the middle attack.
“The patch will delete all the preinstalled SSH keys on the appliance,” it said. “After the key deletion, the patch will also provide customers with additional steps to take for a complete fix.”
Security experts have welcomed Cisco’s actions but are concerned about the potential scale of the vulnerability.
“To truly understand the scope of impact for this vulnerability, we’d have to know the number of these devices actually deployed,” said Tim Erlin, Director of Security and Product Management at Tripwire. “It’s great that there’s an update to address the issue, but customers must actually apply it to be protected. There’s often a lag between update availability and effective deployment, creating a window of risk.
“Because this affects virtual images, it’s entirely possible that some may lay dormant through the initial update cycle, then introduce the vulnerability at a later date when started.”
Tesla makes key advances toward advanced self-driving rollout in China as chief Elon Musk meets…
New UK rules bring in basic security requirements for millions of internet-connected devices, aiming to…
Google parent Alphabet sees market capitalisation surge over $2tn on plan to over first-ever cash…
Google asks Virginia federal court to dismiss case brought by US Justice Department and eight…
Snapchat parent Snap reports user growth, revenues in spite of tough competition, in what may…
Quick-growing fast-fashion company Shein must comply with most stringent level of EU digital rules after…