Cisco Security Appliances Found To Have Default SSH Keys

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.

Oh come ON

[93 Escort Wagon]

Was THIS the way you finally managed to get off ssh1, Cisco?

Re:Using Linux would prevent these Cisco mishaps!

[ArmoredDragon]

Cisco is very much a "configure it yourself" type of deal. In fact their whole certification track above the CCENT level revolves heavily around knowing the IOS command syntax.

You can substitute their routers for Linux, but NOT their layer 3 switches, unless you really don't give a shit about performance in an enterprise environment.

Re:

[Rigel47]

Are there even linux-based switches? I know the router front is doing good with Vyatta, etc, but never heard of linux switches. Doesn't make sense given how (relatively) cheap switches are.

Re:

[Phishcast]

Here's one, Cumulus Networks [cumulusnetworks.com]. A lot of Cisco switching gear is Linux underneath with a more familiar Cisco CLI.

Re:

[silas_moeckel]

A Cisco Nexus is pretty Linux.

Re:

[irving47]

Yeah, pretty much all of Ubiquiti's gear is. Edgeswitch, in particular, in this case.

Re:

[Anonymous Coward]

Juniper's OS is based on freebsd.

Re:

[Cramer]

There are lots of switches running linux. Of course, linux isn't the thing doing the switching.

The question to ask is can you get to the OS and/or ssh configuration to remove whatever the vendor may have installed? (i.e. remove whatever ssh backdoor keys they left there.) In most cases, the answer is "Hell. No."

Re:

[smartfart]

I've forgotten the name of the company now, but there was a presentation at the Linux conference last year (two years ago, maybe?) in New Orleans that talked about this very topic, and they (or someone else that approached me afterward because I asked a question about it) said that their company was making switching hardware that did stuff in kernel-space, maybe with a proprietary module. This is key here... you can stuff a bunch of NICs in a box and use brtables or whatever and make a switch, but that's go

Re:

[swv3752]

http://cumulusnetworks.com/blo... [cumulusnetworks.com]
http://www.datacenterknowledge... [datacenterknowledge.com]
http://opennetlinux.org/ [opennetlinux.org]
http://www.opencompute.org/ [opencompute.org]
http://www.wired.com/2013/03/b... [wired.com]

Get with the times, the Big Iron Networking gear (like usead at Google and Facebook) are switches running Linux.

Re:

[ArmoredDragon]

Quite a difference between using any old Linux server as a router, and using an actual device that is purpose built for that which includes an ASIC to make faster and more efficient forwarding decisions.

Re:

[sexconker]

A layer 3 switch is a fucking router. It's called a layer 3 switch because it's a fucking shitty router.
Switches are layer 2.

Re:

[sexconker]

It is a router that can *route* packets among all interfaces at full speed. Get a Linux box with 16 NICs and flood them with traffic. See it sizzling, smoking and crashing.

Oh fuck off with that bullshit. Routing packets takes minimal CPU, so fuck off with your sizzling and smoking horse shit. Full fledged routers are much more capable than "layer 3 switches".

Re:

[ArmoredDragon]

Poverty = ignorance. Have you ever touched anything not sold in Bestbuy?

I think it's worse than that. He's a real life Nelson "Big Head" Bighetti. Makes himself look knowledgeable but is really just fucking worthless.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sexconker]

A "layer 3 switch" has minimal routing features and is only a "great router" if you don't need to do much routing and thus don't want to spend money on an actual router.

Re:

[ArmoredDragon]

A layer 3 switch is in many ways better than a router because it makes forwarding decisions in hardware. Meanwhile dedicated routers don't offer any big advantages over a layer 3 switch unless you happen to be using old shit like frame relay where you need special WICs and can't use ordinary ethernet or SFP adapters.

Re:

[sexconker]

Dedicated routers offer same-or-better performance and capacity of a "layer 3 switch", and give you FULL layer 3 traffic control, not the half-assed firewalling, prioritization, etc. that "layer 3 switches" provide (at slow fucking speed).

"Layer 3 Switch" is a marketing term for "half-assed router", and nothing more. If they were as capable as routers they'd be called routers because they'd fucking be routers. It's just like "smart managed switch", which means you get a semi-functional web interface (and

Re:

[ArmoredDragon]

Wow. Not only is everything you said way wrong (way way way WAY wrong,) but it's also approaching retardation.

In fact, I strongly recommend there be a restraining order to prevent you from going anywhere within a mile of any enterprise grade network. You're of those guys who talks down to other employees at IT shops while always being the biggest cause of down time. 100% Dunning-Kruger.

Re: Using Linux would prevent these Cisco mishaps!

[buchanmilne]

Except the 'security appliance' line does not run IOS. These are servers (originally re-badged Dell PowerEdge, but now Cisco UCS C-class rack-mounts) running AsyncOS (a proprietary FreeBSD-based platform), which used to be branded as Ironport.

It doesn't seem to affect any IOS flavour (IOS, IOS-XE which is Linux-based, IOS-XR) or the Nexus NX-OS (Linux-based).

Re:

[Anonymous Coward]

You mean like everyone who had to replace their Debian-generated SSL keys due to bad (practically nonexistent) PRNG seeding?

Beware 'appliances'

[Junta]

This is the example of precisely how disciplined the 'appliances' you get from vendors are constructed.

This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

Think about that next time you save a few seconds of your time buying an appliance or even pulling down something from dockerhub instead of just installing the platform.

Of course the software industry has gone to town with appliances, meaning they spend no time properly packaging things anymo

Re:Beware 'appliances'

[myowntrueself]

If cisco didn't use interns and cheap H1B labor, maybe this wouldn't happen. Seriously, they need some experience, security minded people to manage and review these products before they ship.

If you think this is bad, try looking at the cisco ACE load balancers. They can't even do modern crypto and they refuse to update them.

Are you kidding? This was done for support reasons; to support the NSA.

Re: Beware 'appliances'

[Anonymous Coward]

Excatly. Key is right where NSA told Cisco to put it.

It's a *feature,* not a bug.

Re:

[gtall]

Yeah, that's it, NSA wanted Cisco to do something so stupid it would take the Chinese 2 minutes to figure out how holey their boxes are.

Re:

[myowntrueself]

Yeah, that's it, NSA wanted Cisco to do something so stupid it would take the Chinese 2 minutes to figure out how holey their boxes are.

I don't get the impression that the NSA really think things like this through to that extent.

Re:

[Anonymous Coward]

No way in Hades would Cisco "accidentally" insert a secret backdoor into so much enterprise hardware unless forced to do so. Putting aside layers upon layers of code review for something that big to happen Cisco management well know you don't do that to enterprise customers. I'm surprised post-Snowden so many people are still in denial the NSA is indeed trying to put backdoors in everything. It's not tinfoilhat.

Re: Beware 'appliances'

[John Howell]

You do realise the NSA is a government organization. This means stupid ideas are almost guaranteed.

Re:

[bigfinger76]

Do you drag every conversation you hear down with this pedantic garbage every time you hear a figure of speech? You must be a blast at parties.

Re:

[cbiltcliffe]

Just out of curiosity, what do you think the proper homonym phrase is for this?

Re: Interesting eggcorn

[clovis]

It should be "free rein". It refers to the reins used to direct the travel of a horse similarly to the way "steering wheels" were used to direct the motion of automobiles before Google acquired a majority stake on the US Supreme court and self-driving cars became mandatory.
Anyway, If you were to release your grip on the reins, then the horse may theorectically feel free to travel in any direction. In practice the horse generally returned to the barn after scraping the rider off on the nearest tree.

Re:

[LunaticTippy]

The correct figure of speech is "free rain." Nobody alive remembers when rain fell freely where I'm living, so this has corrupted over the years into horses and monarchs and whatnot.

Re:

[aynoknman]

The correct figure of speech is "free rain."

Nope, the correct figure of speech is "Free Ryan.":
From Wikipedia: "In September 2013, the first book about the Ryan Ferguson case was released: Free Ryan Ferguson: 101 Reasons Why Ryan Ferguson Should Be Released, by Brian D'Ambrosio."

Re:

[David_Hart]

Just out of curiosity, what do you think the proper homonym phrase is for this?

From grammarist.com it should be "free rein" as in a horse being able to do what they want because the reins are free. "reign" is a recent misspelling that is being used more often.

Re:

[ShaunC]

This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

"Goof?" I'm not convinced. It's just as likely that this was engineered into the products intentionally.

News broke last year that NSA was intercepting Cisco equipment [arstechnica.com] enroute to customers and making a few tweaks. Cisco made a big production a few months ago about how they were suddenly willing to ship to random addresses [schneier.com] to avoid NSA interdiction. Perhaps that's because whatever NSA needs is already built in, and always has been, and the whole story about NSA physically yanking packages from carriers was mi

Re:

[Lunix Nutcase]

Why invent some NSA conspiracy when Cisco clearly said it was intentional for support purposes?

The default key apparently was inserted into the software for support reasons.

Re:

[idontgno]

for support reasons

You're not asking the correct question.

"To support whom?"

Re:

[Anonymous Coward]

Anyone that doesn't think the NSA was involved is extremely gullible. Cisco is the biggest networking company in the world. They serve governments and large corporations around the planet which all expect transparency and security. Cisco's management, engineers, programmers and it their cats could speak.... all know beyond a shadow of a doubt you don't insert secret default backdoors into enterprise hardware. Code review would have detected such a glaringly obvious "bug" long before it was inserted into th

NSA?

[Laguerre]

There might be reasons other than "support" for universal access SSH keys.

Re:

[SoftwareArtist]

Yes, that's exactly what they said. It was added to support the NSA. Oh, did you think "support reasons" meant support for their customers? How quaint! ;)

How

[koan]

is this a bug?

default, authorized SSH keys

Barracuda Backup, too!

[ffsnjb]

https://techlib.barracuda.com/... [barracuda.com]

You can't change the keys, so if you want to use SSHFS to backup systems that aren't agent supported, you've potentially given root access to anyone who's extracted the private key from the appliance (and leaked it to the internet). I wouldn't be surprised if the agents used the same craptastic cryptographic fail.

Re:

[OverlordQ]

To be fair, they allow you to use non-root users. And if you dont have a firewall rule to only allow SSH from the backup master, then you're an idiot.

Odd how little criticism they get

[jones_supa]

It's odd how companies like Microsoft get criticized a lot about their malice and monopoly position, but Cisco gets a free pass even when they are the dominant player in enterprise networking gear. Why is this? I'm sure that even this message goes through mountains of Cisco hardware when I send it.

Re:

[Atticka]

Its because of the "no one has ever lost a job buying Cisco" attitude that is so prevalent in the industry, many engineers drank the cool aid long ago and don't want to admit that Cisco is not completely infallible.

Almost every network engineer I know has some sort of Cisco certification, people have to continue to justify the heft price for the hardware and the expensive certifications.

Re:

[aaarrrgggh]

Quite honestly, I think a lot of people understand they are complete, overpriced shit. Unfortunately, the competitors appear to be mainly moderately or reasonably priced shit from a security perspective. The question comes down to accountability for the person purchasing/configuring it: can you at least say it was a best-of-breed device and was properly configured for an appropriate level of security, or will you need to say that the purchasing decision was made to save $400 and buy something else...

It se

Similar to having default passwords

[davidwr]

How many home routers have default passwords that aren't forcibly changed when the router is first set up?

It's the same principle, with the only difference being it is something that has to be discovered by someone, once, rather than guessed like so many easy-to-guess default passwords ("admin", "password", etc.).

The other difference is that one should expect better from a device that is specifically marketed as a security device. But that's a social issue not a technical one.

You must have the source code!

[anwyn]

This so-called bug is only possible because users do not have access to the source code. From the user's perspective it does not matter if this was done because of pressure from NSA or convenience of maintenance techs!

This class of bug is unknown in the free software world because your project will forked.

All corporations are subject to enormous pressure from corporations, and therefore can not be trusted, even if the management wanted to play it straight.

All populations, including the U.S'es are targets of information warfare by the NSA and GCHQ.

There is no security without the source code.

Re:You must have the source code!

[PRMan]

This is exactly the "encryption backdoor" that the NSA and FBI keep saying they want. And this is exactly the outcome.

Re:

[Behrooz Amoozad]

Build the OS from source code the way you build Linux-From-Scratch, then we can talk about this.

Re:

[DaveHowe]

I suspect in this particular case, it won't be needed. the devices in question are virtual appliances, and are some sort of *nix (probably bsd) under the hood. I haven't tried this yet, but it would make sense that booting from a rescue disk would let you go mess with the ssh keys and config directly.. now, all these boxes have a remote support functionality built in. I am suspecting (also) that this uses the key to get a true ssh shell (a bash prompt, again presumably) so they can do fixes at the os level

Bug????

[gstoddart]

This bug is about as serious as they come for enterprises

This isn't a bug.

The default key apparently was inserted into the software for support reasons.

This is crap security by design.

And you can probably bet that the NSA and the Chinese have these keys, and can pretty much bypass any "security" offered by Cisco.

Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

Exactly

[s.petry]

Do you know how many times I thought about adding a back channel to a piece of software I wrote because it's easier than training users? Do you care to guess at how many times I have actually done this?

Lets ask that same question about smaller software companies. You won't find any that survive for long after people find out they have these kinds of security practices.

It's hard to say why this happens so frequently and massively with large companies/corporations. I'm sure it's partly Government pressure, probably pressure from other companies/corporations, and partly an ignorant executive demanding this gets done. I'm sure the latter can claim the first two are the problem. The latter however, should result in termination of the execs responsible. That last part does not happen, which makes me wonder how big the first two really are.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

"And you can probably bet that the NSA and the Chinese have these keys"

We know at minimum the NSA has them.,.. because it was the NSA that told Cisco to put them there!

This isn't like accidentally spilling a coffee. The firmware of hundreds of thousands of devices doesn't "accidentally" get secret backdoors. Cisco wouldn't jeopardize billions in future sales without being forced to do so by an NSA. What I'm curious to know is the real story behind why they are suddenly telling us now? (rather than the scri

Occams Electric Shaver

[ThatsNotPudding]

Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

Never attribute activity to nefarious government agencies to what can be more easily explained by clueless MBA PHBs demanding their own personal screendoor.

Not a bug

[gweihir]

I believe the problem here is that they thought they could get away including the "lawful interception" (i.e. "immoral and dangerous backdoor") key just by the ordinary mechanism instead of compiling it into the sshd binary.

Time to yank NSA's leash

[sshir]

Considering that NSA definitely had the source code and configuration (otherwise they would not use Cisco stuff themselves) they knew about this shit. And leaving such a huge hole in nation's security while it's NSA's main responsibility is unacceptable. And after that recent data breach fiasco, one has to wonder, why the fuck we keep paying their salaries?!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Protongeek]

If the NSA has our ssh keys then I am not sure why they keep opening support cases with us. I work for Cisco and support the WSA. If this is so easy to intercept and steal the ssh private key from Cisco devices then why has it not already been done ? I have worked for Cisco for 5 years supporting this device and have yet to see anyone compromise the WSA. The SSH key is loaded for us CSEs to gain access to the back end of the OS which customers do not have access to. I understand the argument why is it a clo

Cisco security appliances contain default SSH keys

[nickweller]

And why was this?

Get a grip guys

[Anonymous Coward]

WSA, ESA and SMA all came from the Ironport acquisition. At that time, Ironport was considered the model for success, and their management team basically acquired Cisco security. As a result, their products never got the full inspection for vulnerabilities and this was simply missed. This was not an NSA trick, just human error.