Cisco warns of default SSH keys shipped in three products

Cisco Systems said Thursday it released a patch for three products that shipped with default encryption keys, posing a risk that an attacker with the keys could decrypt data traffic.

The products are Cisco’s Web Security Virtual Appliance, Email Security Virtual Appliance and Security Management Virtual Appliance, it said in an advisory. Versions downloaded before Thursday are vulnerable.

Cisco said it “is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.”

The three products all shipped with preinstalled encryption keys for SSH (Secure Shell), which is used to remotely log into machines. It’s considered a bad security practice to ship products that all have the same private keys.

If attackers obtained the private keys, it would be possible to decrypt traffic after collecting it during a man-in-the-middle attack. It would also be possible to impersonate one of the appliances or alter traffic, Cisco warned.

The patch deletes the preinstalled SSH keys and provides instructions for how customers can completely fix the problem. Cisco wrote that the patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after Thursday.

The fix is named “cisco-sa-20150625-ironport SSH Keys Vulnerability Fix” in a list of product upgrades. It must be manually installed from a command line interface, it said.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.