Slashdot Mirror
Cisco Security Appliances Found To Have Default SSH Keys
Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.
This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.
"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.
"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
If cisco didn't use interns and cheap H1B labor, maybe this wouldn't happen. Seriously, they need some experience, security minded people to manage and review these products before they ship.
If you think this is bad, try looking at the cisco ACE load balancers. They can't even do modern crypto and they refuse to update them.
Are you kidding? This was done for support reasons; to support the NSA.
In the free world the media isn't government run; the government is media run.
This class of bug is unknown in the free software world because your project will forked.
All corporations are subject to enormous pressure from corporations, and therefore can not be trusted, even if the management wanted to play it straight.
All populations, including the U.S'es are targets of information warfare by the NSA and GCHQ.
There is no security without the source code.
Considering that NSA definitely had the source code and configuration (otherwise they would not use Cisco stuff themselves) they knew about this shit. And leaving such a huge hole in nation's security while it's NSA's main responsibility is unacceptable. And after that recent data breach fiasco, one has to wonder, why the fuck we keep paying their salaries?!