Thursday06 October 2022

Cisco SSH key bug in virtual security appliances leads to some questions

Reading time is around minutes.

Cisco has acknowledged (and released patches for) a fairly serious security bug in three of their virtual appliances that, oddly enough, are related to security. The three products in question are the Cisco Web Security Virtual Appliance, the Email Security Virtual Appliance and the Security Management Virtual Appliance. These three devices all share a default preinstalled SSH encryption key. This meddlesome little fact means that it is very simple to get into an SSH session because you can grab the key off of another copy of the product. We are pretty sure that the default keys are already floating around on the internet somewhere as well.

The flaw has been admitted to by Cisco: “The vulnerability is due to the presence of a default authorised SSH key that is shared across all the installations of WSAv, ESAv and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv or SMAv."
Exploitation of the flaws could allow an "unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliance.”

There are already patches available for this flaw and Cisco is recommending customers update this as soon as possible (of course). Still some are wondering how a flaw like this existed in a security product at all. It seems like a serious case of laziness to us, while others are concerned that the slip was to allow access into Cisco products by the NSA or other law enforcement agencies. Although the latter is certainly plausible given the revelation by Edward Snowden of Cisco’s cooperation with the NSA, it might not be the case at all. This could simply have been a case of pushing a product out using the same base template. When you are dealing with virtual appliances it can cut development time if you use the same basic template for the OS and drop in the features that you need.

This flaw is a serious one and while we do not want to think Cisco risked their customers’ data like this just to keep the NSA happy. However, if this was laziness… it is just as bad. If you have one of these running in your corporate environment we suggest you update now. If the red team did not know about this flaw before, they do now and your data is very much at risk.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.