A red-faced Cisco has pushed out a patch for a bunch of virtual security appliances that had hard-coded SSH keys.
Since the keys are associated with the virty appliances' remote management interface, a successful login would let an attacker waltz through the devices.
The Borg has announced that its Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) all carry default keys for their remote support access.
The virtual appliances have hard-coded default authorised SSH keys and SSH host keys.
“IP address connectivity to the management interface on the affected platform is the only requirement for the products to be exposed to this vulnerability. No additional configuration is required for this vulnerability to be exploited,” the advisory states.
Cisco's put out a patch for the vuln (“cisco-sa-20150625-ironport SSH Keys Vulnerability Fix”), and says all versions prior to 25 June need the fix. The patch deletes the preinstalled keys and forces a reset.
“This patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after June 25, 2015”, the advisory continues.
The company has also pulled WSAv, ESAv, and SMAv images while it patches them, but says new versions will be posted “in the following days” to let customers stick to planned update schedules. ®