Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.
This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. Threatpost.com writes that the default key was inserted into the software for support reasons.
Cisco says, "The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user."
(Score: 5, Insightful) by Anonymous Coward on Saturday June 27 2015, @03:06PM
Looks like they were right to be suspicious: http://www.ibtimes.com/china-bans-apple-cisco-systems-government-use-cyber-security-concerns-or-market-1829564 [ibtimes.com]
Xenophobia or not, this is a backdoor.
Anyone dealing with SSH who's not an idiot would know what having those keys in there mean. I find it hard to believe it was "mistakenly" or whatever bullshit they say.
When you put it in, you're giving yourself access. If you seriously didn't want it everywhere you'd have processes to blow away the entire file (or their equivalent of .ssh/authorized_keys ). Otherwise you're not serious about your customer's security and thus you still can't be trusted.
(Score: 0) by Anonymous Coward on Saturday June 27 2015, @03:33PM
While I completely understand your anger, the original article suggests that this is about host keys being the same across product line:
-->8--
“As we come across devices like this, we recommend that vendors instead have a ‘first boot’ procedure that dynamically generates a unique SSH key for that device. That way, the keys are distinct per customer, and not shared among all customers and whomever else gets a hold of the key.
-->8--
(Score: 1, Insightful) by Anonymous Coward on Saturday June 27 2015, @03:36PM
... basically old issue when you're *blindly* cloning VM templates in ESX/vSphere/Xen/KVM/pick-your-favourite virtual world ...
(Score: 4, Interesting) by kaszz on Saturday June 27 2015, @03:43PM
So basically Cisco are incompetent? ;-)
(or it's NSA that be doing things)
(Score: 0) by Anonymous Coward on Saturday June 27 2015, @09:10PM
It is not a backdoor. It is a default. Whomever trusts default configs for security should never be in charge of it. Everybody except OpenBSD has terrible default security.