Remote support functionality exposes WSAv, ESAv and SMAv

Jun 26, 2015 16:36 GMT  ·  By

Default SSH (Secure Shell) keys hard-coded in three security software appliances from Cisco could be used by unauthorized parties to connect to the products with elevated privileges or decrypt traffic passing through them.

Cisco has found that Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv) have the same authorized SSH keys and SSH host keys across all installations.

One of the flaws has critical severity

The vulnerability is part of the remote support functionality and affects all versions of the products, including VMWare-based images, and the KVM-based image in the case of WSAv.

Tracked as CVE-2015-4216, the authorized SSH key vulnerability can be leveraged by a threat actor to connect remotely with privileges of the root user to any of the aforementioned security appliances, without the need to authenticate.

Exploiting CVE-2015-4216 does not require any additional configuration, and an attacker would only have to access the IP for the management interface of the vulnerable platform in order to carry out an attack.

The severity score is critical as per the CVSS (Common Vulnerability Scoring System), being established at 9.3 out of 10 because there the impact on confidentiality and integrity of the platform is complete, an attack can be deployed remotely with medium complexity and no authentication is needed.

Cisco released free updates to eliminate risks

In the case of the default SSH host key flaw (CVE-2015-4217), the severity level is lower, 5.8, because confidentiality and integrity impact are partial.

“An attacker could exploit this vulnerability by obtaining one of the SSH private keys and using it to impersonate or decrypt communication between any WSAv, ESAv, or SMAv,” a security advisory from Cisco says.

For successful compromise, the attacker has to position between the WSAv or ESAv machine and the host it communicates with, in order to intercept exchanged traffic. With SMAv, exploitation is possible if the product manages a content security appliance, Cisco says.

Remediation of the issues has been achieved by releasing free software updates for all affected products.