Many Cisco security appliances contain a common default SSH key that could allow an attacker to connect and take almost any action he chooses. “A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user,” Cisco’s advisory says.
“This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free rein on vulnerable boxes, which, given Cisco’s market share and presence in the enterprise worldwide, is likely a high number,” writes Dennis Fisher of security watchdog Threatpost.
“As most firmware vendors recognize that telnet-based remote administration is a Bad Idea, secure shell (SSH) based administration consoles are becoming more common. Unfortunately, occasionally these vendors mistakenly ship a single default SSH key across an entire product line. While it’s better than telnet, all it takes for an attacker to compromise these devices is to get a hold of one of them (or an Internet mirror of the firmware), extract the key, and then go to town,” said Tod Beardsley, security engineering manager at Rapid7. “We recommend that vendors instead have a ‘first boot’ procedure that dynamically generates a unique SSH key for that device. That way, the keys are distinct per customer, and not shared among all customers and whomever else gets a hold of the key.”
For the vendor, generating unique SSH keys can be challenging because it creates thousands of keys that need to be catalogued, tracked, updated and managed. An alternative is to use iTivity Linux Remote Support. iTivity performs all privileged access authentication from a central server so that SSH keys are not needed on the remote appliance in the first place.