WavebreakmediaMicro - Fotolia

Business urged to patch Cisco SSH vulnerability

The presence of a default authorised SSH key could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user, Cisco warns

Security experts are urging businesses to patch any Cisco products that were shipped with default encryption keys, exposing users to cyber breaches.

Cisco released a security update after it emerged that versions of Cisco’s Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv) and Security Management Virtual Appliance (SMAv) that were distributed before 25 June 2015 were vulnerable.

The presence of a default authorised secure shell (SSH) key could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user, Cisco warned in an advisory.

“An attacker with possession of compromised keys, who is able to intercept traffic between the WSAv or ESAv and a host it is communicating with, would be able to decrypt the communication with a man-in-the-middle attack,” the advisory said.

According to Cisco, it is not aware of “any public announcements or malicious use of the vulnerabilities that are described in this advisory”, but security experts said businesses using the affected products should not delay in installing the update.

“It is great that there has been an update to address the issue, but customers must actually apply it to be protected. There’s often a lag between update availability and effective deployment, creating a window of risk,” said Tim Erlin, director of security and product management at security firm Tripwire.

“Because this affects virtual images, it’s entirely possible that some may lay dormant through the initial update cycle, then introduce the vulnerability at a later date when started,” he warned.

According to Erlin, it is also difficult to estimate the scope of impact for this vulnerability without knowing how many affected products are being used in production environments.

The Cisco security update deletes the pre-installed SSH keys and provides instructions for how customers can fix the problem. The supplier notes there is no workaround for the vulnerability.

Cisco said the patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after 25 June 2015.

The update can be found in a list of product upgrades. It is called “cisco-sa-20150625-ironport SSH Keys Vulnerability Fix”, and must be installed from a command line interface, the company said.

Read more about SSH security

Read more on Privacy and data protection