Cisco security engineers have disclosed that there is a single default ‘maintenance’ SSH key hardcoded into several families of Cisco security appliances.
The default authorised SSH keys and SSH host keys are associated with remote access for maintenance, meaning that a successful attack would allow hackers to access the devices at will. Once obtained, the private keys would allow an attacker to decrypt traffic after collecting it during a man-in-the-middle attack, or impersonate one of the appliances and alter traffic.
According to Cisco, Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the security issue, reports the SecurityAffairs blog.
“Multiple Cisco products contain a vulnerability that could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances. Updates are available”, said the company in a widely-quoted statement.
The vendor has pushed out a security patch to rectify the issue, (“cisco-sa-20150625-ironport SSH Keys Vulnerability Fix”), and says all versions prior to 25 June need the update.
The Register quotes the patch advisory as saying: “IP address connectivity to the management interface on the affected platform is the only requirement for the products to be exposed to this vulnerability. No additional configuration is required for this vulnerability to be exploited.
“This patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after June 25, 2015,” the advisory continues.
However, according to ComputerWorld, Cisco said it "is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory."