The security device industry leader Cisco recently shocked many enterprises by admitting to a vulnerability in many of its products that could allow an attacker to take complete control over an appliance. The company said that this was traceable to default, authorised SSH keys in all of its virtual appliances for web security, email security and content security management.
There could be few more serious bugs for any enterprise to deal with, given the scope for an attacker who discovers the default SSH key to do almost anything they wish with vulnerable boxes, as are installed in great number around the world by virtue of Cisco’s prominent market-leading position. It was apparently support reasons that motivated the incorporation of the default key into the software.
Cisco’s advisory said: “A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.”
Such a vulnerability is unfortunately by no means unique to Cisco’s software, with one security engineering manager, Tod Beardsley, commenting that most providers of firmware now realised how much of a “Bad Idea” telenet-based remote administration was, resulting in a greater tendency towards secure shell (SSH) based administration consoles.
However, Beardsley said that vendors occasionally mistakenly shipped a single default SSH key across an entire product line. “While it’s better than telnet, all it takes for an attacker to compromise these devices is to get a hold of one of them (or an Internet mirror of the firmware), extract the key, and then go to town.
“As we come across devices like this, we recommend that vendors instead have a ‘first boot’ procedure that dynamically generates a unique SSH key for that device. That way, the keys are distinct per customer, and not shared among all customers and whomever else gets a hold of the key.”
An attacker exploiting the Cisco vulnerability would enjoy essentially undetected access to a target system, with the firm admitting that this would be especially simple to do if the attacker had a man-in-the-middle position in a target network.
Cisco said that although no workaround for the vulnerability existed, it had released patches for all affected versions of the software. With the company stating that it had discovered the bug during internal security testing, such a story seems to confirm – once again – just how crucial it is for all kinds of organisations to keep a close eye on their security arrangements and take appropriate action if any of their systems turn out to be susceptible.