Default backdoor SSH key gives root privileges to an attacker

Jul 3, 2014 08:00 GMT  ·  By

Three vulnerabilities have been fixed in the latest version of Cisco’s Unified Communications Domain Manager (Unified CDM), one of them allowing a potential attacker to connect from a remote location with root privileges, without authentication.

Assigned the CVE-2014-2198 identifier, the security glitch could be exploited because of a default private SSH key intended for the support team that is stored insecurely on the system.

By obtaining this key, a potential attacker could connect to the system with root access, without being required to provide any authentication credentials.

Cisco warns that obtaining the SSH key can be done through reverse engineering of the binary file of the operating system, because the item is embedded in the software.

Another glitch (CVE-2014-2197) affects the Unified CDM Application Software and refers to gaining administrative privileges to the vulnerable system. The cause is “improper implementation of authentication and authorization controls of the Administration GUI.”

In order to exploit the vulnerability, an attacker has to be logged in and submit a maliciously crafted URL that changes the administrative credentials of the authenticated user.

“The attacker needs to be authenticated to the system or convince a valid user of the Administration GUI to click a malicious link,” says the Cisco report.

The third vulnerability affects the web framework of Cisco's Unified CDM Application Software and presents the risk of accessing and editing the user information on the BVSMWeb portal.

An intruder could be able to change settings in the phone directory, speed dials, Single Number Reach, and the call forward configuration. Taking advantage of this security flaw does not require any form of authentication and can be achieved by submitting a specially crafted link to the affected system.

The SSH key offering the support team backdoor access to the customer’s equipment has been eliminated in the latest version of Unified CDM Platform Software (4.4.2), but all previous builds remain vulnerable.

According to Dr. Johannes Ullrich of the Sans Institute, “Having the same key on all systems is mistake number one, but wouldn't be fatal if the secret key would have been tugged away in Cisco's special safedeposit box. Instead, they left the secret key on customer systems as well. So in other words: If you own one of the systems, you got the key to access all of them.”

The privilege escalation issue (CVE-2014-2197) can be exploited in all Unified CDM Application Software versions prior to 8.1.4.

Version 10, expected to become available in September, and later of the Cisco Unified CDM Application Software do not implement the web framework for BVSMWeb, and as such, are not affected by the data manipulation vulnerability.

A workaround exists, though, and it consists in relying on “the functionality offered by the Cisco Unified Communication Manager and the Cisco Unified CDM Self-Care portal instead of the Cisco Unified CDM BVSMWeb portal to provide services.”