Cisco Security Advisory
Multiple Default SSH Keys Vulnerabilities in Cisco Virtual WSA, ESA, and SMA
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv) are affected by the following vulnerabilities:
- Cisco Virtual WSA, ESA, and SMA Default Authorized SSH Key Vulnerability
- Cisco Virtual WSA, ESA, and SMA Default SSH Host Keys Vulnerability
Cisco has released software updates that address these vulnerabilities.
There are no workarounds for these vulnerabilities.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport
-
Vulnerable Products
Cisco Virtual WSA, ESA, and SMA Default Authorized SSH Key Vulnerability
This vulnerability affects all Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Content Security Management Virtual Appliance (SMAv) Software versions.
For WSAv, both VMware-based and KVM-based images are affected by this vulnerability. For ESAv and SMAv, VMware-based images are affected by this vulnerability.
IP address connectivity to the management interface on the affected platform is the only requirement for the products to be exposed to this vulnerability. No additional configuration is required for this vulnerability to be exploited.
Cisco Virtual WSA, ESA, and SMA Default SSH Host Keys Vulnerability
Customer deployments and images contain a preinstalled set of SSH host keys that allow access to communication secured by those keys. Because all deployments of WSAv or ESAv use the same set of default SSH host keys, accessing any of the private keys on a single deployment could allow an attacker to decrypt communication on WSAv, ESAv, or SMAv.
For WSAv, both VMware-based and KVM-based images are affected by this vulnerability. For ESAv and SMAv, VMware-based images are affected by this vulnerability.
Products Confirmed Not Vulnerable
Only virtual WSA, ESA, and SMA appliances are affected by this vulnerability. Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), and Cisco Content Security Management Appliance are not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco Virtual WSA, ESA, and SMA Default Authorized SSH Key Vulnerability
A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.
The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user.
This vulnerability is documented in the following Cisco bug IDs:
- For Cisco WSAv, the vulnerability is documented in Cisco bug ID CSCuu95988 (registered customers only) and has been assigned CVE ID CVE-2015-4216.
- For Cisco ESAv, the vulnerability is documented in Cisco bug ID CSCuu95994 (registered customers only) and has been assigned CVE ID CVE-2015-4216.
- For Cisco SMAv, the vulnerability is documented in Cisco bug ID CSCuu96630 (registered customers only) and has been assigned CVE ID CVE-2015-4216.
Cisco Virtual WSA, ESA, and SMA Default SSH Host Keys Vulnerability
A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances.
The vulnerability is due to the presence of default SSH host keys that are shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining one of the SSH private keys and using it to impersonate or decrypt communication between any WSAv, ESAv, or SMAv. An exploit could allow the attacker to decrypt and impersonate secure communication between any virtual content security appliances.
At attacker with possession of compromised keys, who is able to intercept traffic between the WSAv or ESAv and a host it is communicating with, would be able to decrypt the communication with a man-in-the-middle attack.
Exploiting this vulnerability on Cisco SMAv is possible in all cases in which SMAv is used to manage any content security appliance. Successfully exploiting this vulnerability on Cisco SMAv allows an attacker to decrypt communication toward SMAv, impersonate SMAv, and send altered data to a configured content appliance. An attacker can exploit this vulnerability on a communication link toward any content security appliance that was ever managed by any SMAv.
This vulnerability is documented in the following Cisco bug IDs:
- For Cisco WSAv, the vulnerability is documented in Cisco bug ID CSCus29681 (registered customers only) and has been assigned CVE ID CVE-2015-4217.
- For Cisco ESAv, the vulnerability is documented in Cisco bug ID CSCuu95676 (registered customers only) and has been assigned CVE ID CVE-2015-4217.
- For SMAv, the vulnerability is documented in Cisco bug ID CSCuu96601 (registered customers only) and has been assigned CVE ID CVE-2015-4217.
-
There are no workarounds for these vulnerabilities.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The fix, which is available at the time of the advisory publication, is provided in the form of an updater script patch.
This patch is required for all virtual appliance releases for email security, web security, and content security management that were downloaded or upgraded before June 25, 2015.
This patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after June 25, 2015.
The patch will delete all the preinstalled SSH keys on the appliance. After the key deletion, the patch will also provide customers with additional steps to take for a complete fix.
This patch will be available on all the virtual platforms via the standard upgrade mechanism. The patch appears in the list of upgrades as cisco-sa-20150625-ironport SSH Keys Vulnerability Fix and must be manually installed by using the CLI.
Please refer to the release notes for a complete set of instructions:- http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-release-notes-list.html for WSAv
- http://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html for ESAv
- http://www.cisco.com/c/en/us/support/security/content-security-management-appliance/products-release-notes-list.html for SMAv
Note: All affected images will be removed from the software downloads section of Cisco.com prior to publication of this advisory. WSAv, ESAv, or SMAv images will not be available for download. New images will be loaded in the following days, which will enable existing customers to continue with any planned updates and new customers to perform installations.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Both vulnerabilities described in this advisory were found during internal tests and product security reviews.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.0 2015-June-25 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.