Cisco has issued security upgrades to address a critical vulnerability in the Cisco Umbrella Virtual Appliance (VA), which allows unauthenticated attackers to remotely obtain admin credentials.
The bug was discovered by Fraser Hess of Pinnacol Assurance in Cisco Umbrella VA’s key-based SSH authentication method (recorded as CVE-2022-20773).
These on-premise virtual machines are utilized as conditional DNS forwarders that record, encrypt, and authenticate DNS data by Cisco Umbrella, a cloud-delivered security service used by over 24,000 businesses as DNS layer security against phishing, malware, and ransomware assaults.
“The presence of a static SSH host key causes this vulnerability. A man-in-the-middle attack on an SSH connection to the Umbrella VA might be used to exploit this vulnerability “Cisco clarified the situation.
“A successful exploit might let the attacker to get administrator credentials, modify configurations, or reload the VA,” says the report.
Cisco Umbrella VA for Hyper-V and VMWare ESXi operating software versions prior to 3.3.2 are affected by the vulnerability.
The default Umbrella VA setups are unaffected.
Fortunately, Cisco claims that the SSH service is disabled by default on Umbrella on-premise virtual machines, reducing the total effect of the issue.
To see if SSH is enabled in your Cisco Umbrella Virtual Appliances, connect into the hypervisor console, press CTRL+B to enter configuration mode, then use the config va show command to inspect the VA’s settings.
On systems with SSH enabled, the command output should contain a “SSH access: enabled” line at the conclusion.
This security issue has no fixes or mitigations available. As a result, Cisco recommends that clients upgrade to a corrected software release.
The Cisco Product Security Incident Response Team (PSIRT) also said that no public proof-of-concept attack code for this vulnerability is accessible online, and that it is unaware of any active exploitation in the wild.
Cisco also patched a severe severity problem (CVE-2021-40119) caused by default SSH keys in Cisco Policy Suite’s key-based SSH authentication method in November, which may allow unauthenticated and remote attackers to log in as the root user.
On the same day, Cisco patched a second major weakness (CVE-2021-34795) in the Telnet service of Cisco Catalyst PON Series Switches ONT that allowed unauthenticated attackers to log in remotely using a debugging account with a default password due to hard-coded credentials.
