Cisco has released security updates to address critical security flaws that would allow unauthorized bad actors to hijack unpatched devices by using hardcoded credentials, or default SSH keys. With SSH machine identities providing the highest level of privileged access, SSH key flaws, like the one patched by Cisco, might provide threat actors with a backdoor to critical systems.
CISA also released an advisory asking administrators to review Cisco's guidance and apply all the necessary updates to block malicious attempts to take over impacted systems. If you think this vulnerability affects you, then you really need to understand the potential risks of using default SSH keys and patch your affected devices quickly.
Default SSH keys open systems to remote attacks
According to the Cisco advisory, the vulnerability “could allow an unauthenticated, remote attacker to log in to an affected system as the root user. An attacker could exploit this vulnerability by connecting to an affected device through SSH.”
The vulnerability exists because static SSH keys are used across installations, meaning that an adversary could extract the keys from an attacker-controlled system and then log in to a vulnerable system.
To address the vulnerability, Cisco has released software updates. However, administrators need to be aware that releases 21.2.0 and later will automatically create new SSH keys during installation, but not during an upgrade. If a device is upgraded from 21.1.0, the keys should still be changed by using the following procedure:
Hardcoded credentials allow for unauthorized configuration changes
Another vulnerability disclosed by Cisco, affects the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT).
According to the company’s advisory: “Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions:
- Log in with a default credential if the Telnet protocol is enabled
- Perform command injection
- Modify the configuration”
A remote attacker can exploit the flaw in the Telnet service of Cisco Catalyst PON Series Switches ONT to log in to the affected device by using a debugging account with a hardcoded password.
“A vulnerability in the Telnet service of Cisco Catalyst PON Series Switches ONT could allow an unauthenticated, remote attacker to log in to the affected device by using a debugging account that has a default, static password,” notes the advisory.
The Telnet service is not enabled by default and the issue could be exploited only on devices configured to allow Telnet connections.
Weak SSH key management creates increased risks
In traditional business settings, SSH keys and the SSH protocol are used to provide data encryption and allow IT administrators to manage systems and applications remotely, deliver software patches, or execute commands.
SSH keys have become increasingly popular because they help to automate access to servers, backup data, and configure systems. Their design allows for a cross-border authenticated connectivity, enabling users and administrators to take advantage of single sign-on functionality and move between accounts and applications without typing passwords.
The SSH protocol and keys have become a critical security component of digital transformation, enabling modern, cloud-based business seeking to enforce a strong access control strategy. These businesses can no longer base their authentication mechanisms on insecure, legacy passwords. Passwords can be easily compromised using known tactics, such as brute force attack or phishing campaigns.
If organizations mismanage their SSH keys, they could expose themselves to significant digital security risks, to include:
- Unauthorized access to privileged accounts.
- Undetected lateral movement of attackers by abusing persistent SSH trust relationships to their advantage.
- Circumvented security controls to leverage legitimate connections for malicious actions
- Unauthorized use of SSH server
Control your SSH keys
To defend against these risks, it is imperative that organizations properly manage and configure their SSH machine identities. Policies and procedures play a critical role in SSH security by establishing consistent baseline requirements across the diverse systems, and environments where SSH keys are deployed. The policies should clearly define roles and responsibilities to prevent misunderstandings that result in security lapses and to ensure accountability.
Venafi SSH Protect helps organizations safeguard enterprise SSH machine identities and the host-to-host connections they enable by discovering, protecting and automating their lifecycle. To learn more, download this data sheet or contact one of our experts.