In late June and early July this year Cisco released security updates for its Unified Communications Domain Manager Software, Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv) devices to resolve their use of default passwords and SSH keys. Such default keys/credentials are not uncommon as mentioned in my post detailing SAP’s use of a default encryption key for their HANA database. It should be noted that Cisco is not the only vendor to have used default SSH (Secure Shell) keys.
When the Unified Communications Domain Manager Platform Software is installed a fully privileged account is created by default and the password to access this account is the same for all software installations. If the password was obtained by an attacker, they could remote and anonymously connect to the system running this software via SSH and take complete control of that system (since the default account created has root privileges).
A similar default SSH key was found to be in use within the above mentioned Cisco security appliances. Just as detailed above an SSH key is present on all of these appliances by default. Again if this key was obtained and used by an attacker, they would have complete control of your Cisco security appliances. Fortunately both of these classes of issues for Cisco products were discovered by internal security testing and not by attackers leveraging them before they were patched/fixed.
Update: July 13th 2015: The Cisco security advisory for the relevant Cisco security appliances mentioned below clarifies (within the “Details” section) that the static SSH keys stored within the Cisco security appliances are the private keys. Since SSH uses asymmetric cryptography if an attacker obtains the private key they can impersonate the security appliance and decrypt communications among these appliances. The attacker would need to use a man in the middle attack (MITM, MITM defined) in order to decrypt the communications.
How Can I Protect Myself From These Issues?
If your company uses any of the above mentioned Cisco products, please follow the directions within the Cisco security advisories mentioned below to resolve these critical vulnerabilities:
As mentioned in this news article Cisco have resolved such flaws in the past and the potential for attack/exploitation is very real since the exploit framework Metasploit has exploits for similar flaws and firms such as Rapid7 are building libraries of known SSH keys.