Cisco addresses default SSH keys in multiple products

The Cisco Product Security Incident Response Team is not aware of any malicious use of the vulnerabilities.
The Cisco Product Security Incident Response Team is not aware of any malicious use of the vulnerabilities.

Cisco has released software updates to address default SSH key vulnerabilities in Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv).

Exploitation of the default authorised SSH key vulnerability, CVE-2015-4216, could enable an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user, an advisory said.

“The vulnerability is due to the presence of a default authorised SSH key that is shared across all the installations of WSAv, ESAv, and SMAv,” the advisory said. “An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv.”

Similarly, the default SSH host keys vulnerability, CVE-2015-4217, is due to the presence of default SSH host keys that are shared across all installations of WSAv, ESAv, and SMAv. The bug can be exploited by an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances.

“At attacker with possession of compromised keys, who is able to intercept traffic between the WSAv or ESAv and a host it is communicating with, would be able to decrypt the communication with a man-in-the-middle attack,” the advisory said, explaining, “Successfully exploiting this vulnerability on Cisco SMAv allows an attacker to decrypt communication toward SMAv, impersonate SMAv, and send altered data to a configured content appliance.”

The Cisco Product Security Incident Response Team is not aware of any malicious use of the vulnerabilities.