A backdoor is now fixed that could have allowed access to Cisco’s Umbrella Virtual Appliance devices.
Cisco Umbrella is a cloud-based Secure Internet Gateway (SIG) that offers visibility and protection for devices on and outside the corporate network.
Virtual appliances allow companies to map internal IPs to internal Active Directory users and computers, and forward external DNS queries from the network to an Umbrella data center.
The vulnerability is the result of an undocumented SSH tunnel between the Umbrella Virtual Appliance and a terminating server in Cisco’s data centers, Cisco researchers said in a post. This encrypted channel is designed to allow Cisco support personnel to troubleshoot customer installations and it provides unrestricted access.
In Umbrella Virtual Appliance 2.0.3 and prior versions, this tunnel is always enabled and accessing it does not require permission from the end user. A connection does however require valid keys only provided to privileged Cisco Umbrella support staff.
An attacker who can access Cisco’s terminating server could use this SSH tunnel as a backdoor into an organization’s devices. The backdoor provides full control over a virtual appliance.
Cisco has classified this as a vulnerability, which it has rated “medium severity” with a CVSS score of 6.4.
“To address this vulnerability, the Umbrella Virtual Appliance version 2.1.0 now requires explicit customer approval before an SSH tunnel from the VA to the Cisco terminating server can be established,” Cisco researchers said. “Unlike in earlier versions, this is not an always-on support tunnel.”