Cisco plugs default SSH key security hole

Cisco has released patches to address default SSH key vulnerabilities in its Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) products.

Exploitation of the default authorised SSH key vulnerability, CVE-2015-4216, could enable an unauthenticated, remote attacker to connect to the affected system with the privileges of the root or superuser, an advisory said.

“The vulnerability is due to the presence of a default authorised SSH key that is shared across all the installations of WSAv, ESAv, and SMAv,” the advisory said.

According to the advisory, an attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv.

Similarly, the default SSH host keys vulnerability, CVE-2015-4217, is due to the presence of default SSH host keys that are shared across all installations of WSAv, ESAv, and SMAv.

The bug can be exploited by an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances.

“An attacker with possession of compromised keys, who is able to intercept traffic between the WSAv or ESAv and a host it is communicating with, would be able to decrypt the communication with a man-in-the-middle attack,” the advisory stated.

Successful exploitation of the vulnerability on Cisco SMAv allows an attacker to decrypt communication towards devices. Attackers can also impersonate SMAv, and send altered data to a configured content appliance, Cisco's advisory warned.

Cisco said it wasn't aware of any malicious use of the vulnerabilities.