Many Cisco security devices contain default SSH authorized keys that can allow an attacker to connect to device and take almost any action you choose. The company said all of its Virtual Appliance Web Security, Email Security Appliances virtual, content management and security virtual appliances are affected by the vulnerability.
This error is almost as bad as they come on business. An attacker who is able to discover the default SSH key would have virtually free reign of vulnerable boxes, which, given Cisco's market share and presence of the company around the world, it is likely that a high number . Apparently the default key inserted in the software support for reasons.
"Vulnerability in Remote Support feature WSAV Cisco, Cisco Esau Software and Cisco AVMS could allow a remote, unauthenticated attacker to connect to the affected system with root privileges," says Cisco advisor.
"The vulnerability is due to the presence of an authorized default SSH key that is shared by all institutions WSAV, Esau and AVMS. An attacker could exploit the vulnerability by getting the private SSH key and use it to connect any WSAV Esau or AVMS. An exploit could allow the attacker to access the system with root privileges. "
Security researchers say the Cisco failure is unfortunately not unique, and that is an example of a larger problem in the industry."Like most providers recognize that the administration telnet firmware base distance is a bad idea, management consoles Secure Shell (SSH) based increasingly common.
Unfortunately, sometimes these sellers sent by mistake SSH default keyboard across a full range of products.Much better than telnet, everything you need for an attacker to compromise these devices is to get hold of one of them (or Internet firmware mirror), remove the key, and then go to town, "said Tod Beardsley, the Rapid7 security engineering director.
"As we move through these devices, it is recommended that providers place a procedure for 'first start' that dynamically generates a unique SSH key to the device. In this way, the keys are different by the client and not shared among all clients and the one who gets the rest awaiting the key. Note that usually, these devices have no open ports to the administration of the Internet, so that perpetrators usually need to be on the network Local (physical or over a VPN that also has access to Cisco gear in question).
"There are several Metasploit modules available for vulnerabilities like from a variety of suppliers, because once you have the key, the Metasploit module is dead easy to write."
Beardsley said Rapid7 is building a key store SSH known bad and expect to see key Cisco there soon.THE VULNERABILITY An attacker would essentially undetected access to a target system and operate Cisco said the error is simple, especially if an attacker has a man-in-the-middle position in a destination network.
"Exploitation of this vulnerability in Cisco AVMS is possible in all cases where AVMS is used to manage safely the contents of the device. Successful exploitation of this vulnerability in Cisco AVMS it allows an attacker to decrypt communication AVMS, AVMS usurp the identity, and send the modified data to a configured device content. An attacker can exploit this vulnerability on a communication link for any content security apparatus never administered any AVMS "says the notice.
Cisco says there is no solution for the vulnerability, but has published patches for all affected versions of software. The company said the vulnerability has been discovered during testing of internal security. Vulnerable devices offer a variety of safety features, including content, e-mail and Web security.
