Slashdot Mirror
Cisco Security Appliances Found To Have Default SSH Keys
Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.
This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.
"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.
"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
There might be reasons other than "support" for universal access SSH keys.
This is exactly the "encryption backdoor" that the NSA and FBI keep saying they want. And this is exactly the outcome.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
This isn't a bug.
This is crap security by design.
And you can probably bet that the NSA and the Chinese have these keys, and can pretty much bypass any "security" offered by Cisco.
Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.
Lost at C:>. Found at C.
Do you know how many times I thought about adding a back channel to a piece of software I wrote because it's easier than training users? Do you care to guess at how many times I have actually done this?
Lets ask that same question about smaller software companies. You won't find any that survive for long after people find out they have these kinds of security practices.
It's hard to say why this happens so frequently and massively with large companies/corporations. I'm sure it's partly Government pressure, probably pressure from other companies/corporations, and partly an ignorant executive demanding this gets done. I'm sure the latter can claim the first two are the problem. The latter however, should result in termination of the execs responsible. That last part does not happen, which makes me wonder how big the first two really are.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.