Cisco issued patches to fix default encryption keys in three of its security products.
As a result of the problem, users are at risk of an unauthenticated remote attacker being able intercept traffic or gain access to vulnerable systems with root privileges.
The Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) are vulnerable due to default SSH keys which could allow an unauthenticated, remote attacker to connect to an affected system with the privileges of the root user, the company said in a security advisory published June 25.
The networking giant released free software updates to fix the flaws and said its physical appliances do not suffer from the vulnerabilities.
Cisco said the affected appliances all have default authorized SSH keys and default SSH host keys.
The default authorized SSH key vulnerability (CVE-2015-4216) is a flaw in the remote support functionality of the virtual appliances, which if leveraged, could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.
“The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv,” Cisco said. “An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv.”
The default SSH host keys vulnerability (CVE-2015-4217) is also a flaw in the remote support functions of the products and could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances, Cisco said.
Users should patch immediately since there are no workarounds for the vulnerabilities.
Cisco said the vulnerabilities ended up discovered during internal testing and security reviews, and the company is not aware of any attacks exploiting these vulnerabilities.