Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Encryption Security

Cisco Security Appliances Found To Have Default SSH Keys 112

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
This discussion has been archived. No new comments can be posted.

Cisco Security Appliances Found To Have Default SSH Keys

Comments Filter:
  • Was THIS the way you finally managed to get off ssh1, Cisco?

  • This is the example of precisely how disciplined the 'appliances' you get from vendors are constructed.

    This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

    Think about that next time you save a few seconds of your time buying an appliance or even pulling down something from dockerhub instead of just installing the platform.

    Of course the software industry has gone to town with appliances, meaning they spend no time properly packaging things anymo

    • by ShaunC ( 203807 )

      This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

      "Goof?" I'm not convinced. It's just as likely that this was engineered into the products intentionally.

      News broke last year that NSA was intercepting Cisco equipment [arstechnica.com] enroute to customers and making a few tweaks. Cisco made a big production a few months ago about how they were suddenly willing to ship to random addresses [schneier.com] to avoid NSA interdiction. Perhaps that's because whatever NSA needs is already built in, and always has been, and the whole story about NSA physically yanking packages from carriers was mi

      • Why invent some NSA conspiracy when Cisco clearly said it was intentional for support purposes?

        The default key apparently was inserted into the software for support reasons.

  • NSA? (Score:4, Insightful)

    by Laguerre ( 1198383 ) on Friday June 26, 2015 @02:56PM (#49997645)
    There might be reasons other than "support" for universal access SSH keys.
    • Yes, that's exactly what they said. It was added to support the NSA. Oh, did you think "support reasons" meant support for their customers? How quaint! ;)

  • by koan ( 80826 )

    is this a bug?

    default, authorized SSH keys

  • https://techlib.barracuda.com/... [barracuda.com]

    You can't change the keys, so if you want to use SSHFS to backup systems that aren't agent supported, you've potentially given root access to anyone who's extracted the private key from the appliance (and leaked it to the internet). I wouldn't be surprised if the agents used the same craptastic cryptographic fail.

    • To be fair, they allow you to use non-root users. And if you dont have a firewall rule to only allow SSH from the backup master, then you're an idiot.

  • It's odd how companies like Microsoft get criticized a lot about their malice and monopoly position, but Cisco gets a free pass even when they are the dominant player in enterprise networking gear. Why is this? I'm sure that even this message goes through mountains of Cisco hardware when I send it.
    • by Atticka ( 175794 )

      Its because of the "no one has ever lost a job buying Cisco" attitude that is so prevalent in the industry, many engineers drank the cool aid long ago and don't want to admit that Cisco is not completely infallible.

      Almost every network engineer I know has some sort of Cisco certification, people have to continue to justify the heft price for the hardware and the expensive certifications.

    • Quite honestly, I think a lot of people understand they are complete, overpriced shit. Unfortunately, the competitors appear to be mainly moderately or reasonably priced shit from a security perspective. The question comes down to accountability for the person purchasing/configuring it: can you at least say it was a best-of-breed device and was properly configured for an appropriate level of security, or will you need to say that the purchasing decision was made to save $400 and buy something else...

      It se

  • How many home routers have default passwords that aren't forcibly changed when the router is first set up?

    It's the same principle, with the only difference being it is something that has to be discovered by someone, once, rather than guessed like so many easy-to-guess default passwords ("admin", "password", etc.).

    The other difference is that one should expect better from a device that is specifically marketed as a security device. But that's a social issue not a technical one.

  • by anwyn ( 266338 ) on Friday June 26, 2015 @03:58PM (#49998201)
    This so-called bug is only possible because users do not have access to the source code. From the user's perspective it does not matter if this was done because of pressure from NSA or convenience of maintenance techs!

    This class of bug is unknown in the free software world because your project will forked.

    All corporations are subject to enormous pressure from corporations, and therefore can not be trusted, even if the management wanted to play it straight.

    All populations, including the U.S'es are targets of information warfare by the NSA and GCHQ.

    There is no security without the source code.

    • by PRMan ( 959735 ) on Friday June 26, 2015 @04:12PM (#49998303)
      This is exactly the "encryption backdoor" that the NSA and FBI keep saying they want. And this is exactly the outcome.
    • by DaveHowe ( 51510 )
      I suspect in this particular case, it won't be needed. the devices in question are virtual appliances, and are some sort of *nix (probably bsd) under the hood. I haven't tried this yet, but it would make sense that booting from a rescue disk would let you go mess with the ssh keys and config directly.. now, all these boxes have a remote support functionality built in. I am suspecting (also) that this uses the key to get a true ssh shell (a bash prompt, again presumably) so they can do fixes at the os level
  • Bug???? (Score:5, Insightful)

    by gstoddart ( 321705 ) on Friday June 26, 2015 @04:40PM (#49998491) Homepage

    This bug is about as serious as they come for enterprises

    This isn't a bug.

    The default key apparently was inserted into the software for support reasons.

    This is crap security by design.

    And you can probably bet that the NSA and the Chinese have these keys, and can pretty much bypass any "security" offered by Cisco.

    Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

    • Exactly (Score:4, Insightful)

      by s.petry ( 762400 ) on Friday June 26, 2015 @05:49PM (#49999057)

      Do you know how many times I thought about adding a back channel to a piece of software I wrote because it's easier than training users? Do you care to guess at how many times I have actually done this?

      Lets ask that same question about smaller software companies. You won't find any that survive for long after people find out they have these kinds of security practices.

      It's hard to say why this happens so frequently and massively with large companies/corporations. I'm sure it's partly Government pressure, probably pressure from other companies/corporations, and partly an ignorant executive demanding this gets done. I'm sure the latter can claim the first two are the problem. The latter however, should result in termination of the execs responsible. That last part does not happen, which makes me wonder how big the first two really are.

    • Comment removed based on user account deletion
    • by Anonymous Coward

      "And you can probably bet that the NSA and the Chinese have these keys"

      We know at minimum the NSA has them.,.. because it was the NSA that told Cisco to put them there!

      This isn't like accidentally spilling a coffee. The firmware of hundreds of thousands of devices doesn't "accidentally" get secret backdoors. Cisco wouldn't jeopardize billions in future sales without being forced to do so by an NSA. What I'm curious to know is the real story behind why they are suddenly telling us now? (rather than the scri

    • Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

      Never attribute activity to nefarious government agencies to what can be more easily explained by clueless MBA PHBs demanding their own personal screendoor.

  • I believe the problem here is that they thought they could get away including the "lawful interception" (i.e. "immoral and dangerous backdoor") key just by the ordinary mechanism instead of compiling it into the sshd binary.

  • by sshir ( 623215 ) on Friday June 26, 2015 @05:55PM (#49999087)
    Considering that NSA definitely had the source code and configuration (otherwise they would not use Cisco stuff themselves) they knew about this shit. And leaving such a huge hole in nation's security while it's NSA's main responsibility is unacceptable. And after that recent data breach fiasco, one has to wonder, why the fuck we keep paying their salaries?!
    • Comment removed based on user account deletion
    • If the NSA has our ssh keys then I am not sure why they keep opening support cases with us. I work for Cisco and support the WSA. If this is so easy to intercept and steal the ssh private key from Cisco devices then why has it not already been done ? I have worked for Cisco for 5 years supporting this device and have yet to see anyone compromise the WSA. The SSH key is loaded for us CSEs to gain access to the back end of the OS which customers do not have access to. I understand the argument why is it a clo
  • by Anonymous Coward
    WSA, ESA and SMA all came from the Ironport acquisition. At that time, Ironport was considered the model for success, and their management team basically acquired Cisco security. As a result, their products never got the full inspection for vulnerabilities and this was simply missed. This was not an NSA trick, just human error.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...