Menu
Cisco warns of default SSH keys shipped in three products

Cisco warns of default SSH keys shipped in three products

The flaw could allow an attacker to decrypt traffic exchanged by three Cisco virtual appliances

Cisco Systems has issued a patch for three products that shipped with default SSH keys.

Cisco Systems has issued a patch for three products that shipped with default SSH keys.

Cisco Systems said on Thursday it released a patch for three products that shipped with default encryption keys, posing a risk that an attacker with the keys could decrypt data traffic.

The products are Cisco's Web Security Virtual Appliance, Email Security Virtual Appliance and Security Management Virtual Appliance, it said in an advisory. Versions downloaded before Thursday are vulnerable.

Cisco said it "is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory."

The three products all shipped with preinstalled encryption keys for SSH (Secure Shell), which is used to remotely log into machines. It's considered a bad security practice to ship products that all have the same private keys.

If attackers obtained the private keys, it would be possible to decrypt traffic after collecting it during a man-in-the-middle attack. It would also be possible to impersonate one of the appliances or alter traffic, Cisco warned.

The patch deletes the preinstalled SSH keys and provides instructions for how customers can completely fix the problem. Cisco wrote that the patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after Thursday.

The fix is named "cisco-sa-20150625-ironport SSH Keys Vulnerability Fix" in a list of product upgrades. It must be manually installed from a command line interface, it said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Cisco Systemssecuritydata breachencryptionExploits / vulnerabilities

Slideshows

Meet the leading HP partners in New Zealand...

Meet the leading HP partners in New Zealand...

HP has recognised its top performing partners in New Zealand at the second annual 2016 HP Partner Awards, held at a glittering bash in Auckland. The HP Partner Awards recognises and celebrates excellence, growth, consistency and engagement of its top partners. This year also saw the addition of several new categories, resulting in 11 companies winning across 11 award categories.

Meet the leading HP partners in New Zealand...
Channel comes together as Ingram Micro Showcase hits Auckland

Channel comes together as Ingram Micro Showcase hits Auckland

Ingram Micro outlined its core focuses for 2017 at Showcase in Auckland, bringing together the channel for a day of engaging keynotes, compelling breakout sessions and new technologies.

Channel comes together as Ingram Micro Showcase hits Auckland
Show Comments