Cisco has pushed out patches for three virtual appliances that shipped with default Secure Shell (SSH) encryption key vulnerabilities, which pose a risk of a hacker decrypting traffic with the keys.
The three products in question are Cisco's Email Security Virtual Appliance (ESav), Web Security Virtual Appliance (WSav) and Security Management Virtual Appliance (SMAv). Cisco pushed out the patch on Thursday, June 25, and the versions of these commercially available products downloaded prior to this date are vulnerable to threats.
The products with pre-installed SSH can be used to remotely log in to a machine and it is a faulty security practice to ship products that have the same private keys.
"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv," noted Cisco in a security advisory.
Cisco also alerted users that two types of known vulnerabilities existed in its SSH keys: default SSH host keys vulnerability and default authorized SSH key vulnerability.
Following the advisory, the default authorized SSH key vulnerability existed in the remote support functionality of the affected virtual appliances. The hacker would be able to access the system and also be endowed with the privileges of the root user.
The second vulnerability would enable the remote attacker to intercept the traffic between the WSAv and also the host being communicated with. The hacker would have the ability to decrypt this communication and wage a man-in-the-middle attack.
Cisco discovered the security vulnerabilities during an internal testing for security loops.
Cisco's patch, which is rolling out now, will delete the SSH keys that come pre-installed with the product and will give users instructions on how to fix the issue.
The fix is dubbed "cisco-sa-20150625-ironport SSH Keys Vulnerability Fix" and is available in its list of upgrades for products. However, one must install the same manually.
While no workaround for the issues exist, the patch is available for affected users. Virtual appliance downloads, upgrades or physical hardware appliances made after June 25 of this year do not require the patch.
Photo: Prayitno | Flickr
