Cisco Security Appliances contain a default SSH Key

Pierluigi Paganini June 26, 2015

Security experts at Cisco revealed the existence of a default SSH key in many security appliances, an attacker can exploit it to control the devices.

Security experts at Cisco discovered default SSH Key in many Cisco security appliances, an attacker could use them to establish SSH connection and control the devices. The abuse of the SSH key could represent a serious problem for enterprises and organizations that are exposed to cyber attacks. According to Cisco, Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the security issue.

cisco default ssh key

The security issue is considered critical due to the capillary diffusion of Cisco systems. The default key was used for maintenance purposed.

“Multiple Cisco products contain a vulnerability that could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances. Updates are available.” states the advisory issued by Cisco.

The vulnerability was discovered by Cisco experts during internal security testing.

“A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user,” Cisco’s advisory says.

“The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user.”

The security issue is easy to exploit, especially if an attacker has a man-in-the-middle position on a target network. The attacker could use the default SSH key to access the target system going undetected.

“Exploiting this vulnerability on Cisco SMAv is possible in all cases in which SMAv is used to manage any content security appliance. Successfully exploiting this vulnerability on Cisco SMAv allows an attacker to decrypt communication toward SMAv, impersonate SMAv, and send altered data to a configured content appliance. An attacker can exploit this vulnerability on a communication link toward any content security appliance that was ever managed by any SMAv,” the advisory says.

The only way to fix the security issue it to apply the patches released by Cisco.

Pierluigi Paganini

(Security Affairs – Cisco, SSH key)

you might also like

leave a comment