Menu
Cisco warns of default SSH keys shipped in three products

Cisco warns of default SSH keys shipped in three products

The flaw could allow an attacker to decrypt traffic exchanged by three Cisco virtual appliances

Cisco Systems has issued a patch for three products that shipped with default SSH keys.

Cisco Systems has issued a patch for three products that shipped with default SSH keys.

Cisco Systems said on Thursday it released a patch for three products that shipped with default encryption keys, posing a risk that an attacker with the keys could decrypt data traffic.

The products are Cisco's Web Security Virtual Appliance, Email Security Virtual Appliance and Security Management Virtual Appliance, it said in an advisory. Versions downloaded before Thursday are vulnerable.

Cisco said it "is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory."

The three products all shipped with preinstalled encryption keys for SSH (Secure Shell), which is used to remotely log into machines. It's considered a bad security practice to ship products that all have the same private keys.

If attackers obtained the private keys, it would be possible to decrypt traffic after collecting it during a man-in-the-middle attack. It would also be possible to impersonate one of the appliances or alter traffic, Cisco warned.

The patch deletes the preinstalled SSH keys and provides instructions for how customers can completely fix the problem. Cisco wrote that the patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after Thursday.

The fix is named "cisco-sa-20150625-ironport SSH Keys Vulnerability Fix" in a list of product upgrades. It must be manually installed from a command line interface, it said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Cisco SystemsExploits / vulnerabilities

Featured

Slideshows

EDGE 2019: Thought leaders share how to build a channel of the future

EDGE 2019: Thought leaders share how to build a channel of the future

Day 2 of EDGE was opened by in-depth research from TRA's Tim Dillon, which outlined the partner view on the channel's future. The following day saw Forrester's Jay McBain and Odgers Berndtson's Tim Sleep conclude the keynote line-up, while HPE and Cisco rounded off the thought leadership.

EDGE 2019: Thought leaders share how to build a channel of the future
Tech credentials on show during Ingram Micro One APAC

Tech credentials on show during Ingram Micro One APAC

Ingram Micro outlined the key technologies for future channel growth on the second day of Ingram Micro One APAC in Singapore, in front of more than 1300 business leaders.

Tech credentials on show during Ingram Micro One APAC
Show Comments