Cisco

Cisco has released security updates to address a high severity vulnerability in the Cisco Umbrella Virtual Appliance (VA), allowing unauthenticated attackers to steal admin credentials remotely.

Fraser Hess of Pinnacol Assurance found the flaw (tracked as CVE-2022-20773) in the key-based SSH authentication mechanism of Cisco Umbrella VA.

Cisco Umbrella, a cloud-delivered security service used by over 24,000 organizations as DNS‑layer security against phishing, malware, and ransomware attacks, uses these on-premise virtual machines as conditional DNS forwarders that record, encrypt, and authenticate DNS data.

Wiz

"This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA," Cisco explained.

"A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA."

The vulnerability impacts the Cisco Umbrella VA for Hyper-V and VMWare ESXi running software versions earlier than 3.3.2.

No impact on default Umbrella VA configurations

Luckily, Cisco says that the SSH service is not enabled by default on Umbrella on-premise virtual machines, significantly lowering the vulnerability's overall impact.

To check if SSH is enabled in your Cisco Umbrella Virtual Appliances, you have to log into the hypervisor console, enter configuration mode by pressing CTRL+B, and check the VA's configuration by running the config va show command.

The command output should include an "SSH access : enabled" line at the end on systems where SSH is enabled.

There are no workarounds or mitigations available for this security flaw. Therefore Cisco is advising customers to upgrade to a fixed software release.

Cisco Umbrella Virtual Appliance Software Release First Fixed Release
3.2 and earlier Migrate to a fixed release.
3.3 3.3.2

The Cisco Product Security Incident Response Team (PSIRT) also said that there is no public proof-of-concept exploit code available online for this vulnerability and added that it's not aware of any ongoing exploitation in the wild.

In November, Cisco also fixed a similar critical severity bug (CVE-2021-40119) caused by default SSH keys in the key-based SSH authentication mechanism of Cisco Policy Suite, which could let unauthenticated and remote attackers log into affected systems as the root user.

The same day, the company also addressed a second critical flaw (CVE-2021-34795) linked to hard-coded credentials in the Telnet service of Cisco Catalyst PON Series Switches ONT that allows unauthenticated attackers to log in remotely using a debugging account with a default password.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Cisco warns of unpatched AsyncOS zero-day exploited in attacks

Nearly 50,000 Cisco firewalls vulnerable to actively exploited flaws

Australia warns of BadCandy infections on unpatched Cisco devices

MongoDB warns admins to patch severe vulnerability immediately

FBI and CISA warn of state hackers attacking Fortinet FortiOS servers