Skip to main content
banner image
venafi logo

Default SSH Keys Grant Root Access to Attackers [Cisco Warns]

Default SSH Keys Grant Root Access to Attackers [Cisco Warns]

default-ssh-key-grant-root-access
November 30, 2021 | Anastasios Arampatzis

Cisco has released security updates to address critical security flaws that would allow unauthorized bad actors to hijack unpatched devices by using hardcoded credentials, or default SSH keys. With SSH machine identities providing the highest level of privileged access, SSH key flaws, like the one patched by Cisco, might provide threat actors with a backdoor to critical systems.

CISA also released an advisory asking administrators to review Cisco's guidance and apply all the necessary updates to block malicious attempts to take over impacted systems. If you think this vulnerability affects you, then you really need to understand the potential risks of using default SSH keys and patch your affected devices quickly.

 

Get a FREE & Confidential SSH Risk Assessment from Venafi!
Default SSH keys open systems to remote attacks

Tracked as CVE-2021-40119, the vulnerability has been given a 9.8 severity CVSS score, and it “is due to a weakness in the SSH subsystem” of Cisco Policy Suite, says the company’s advisory.

According to the Cisco advisory, the vulnerability “could allow an unauthenticated, remote attacker to log in to an affected system as the root user. An attacker could exploit this vulnerability by connecting to an affected device through SSH.”

The vulnerability exists because static SSH keys are used across installations, meaning that an adversary could extract the keys from an attacker-controlled system and then log in to a vulnerable system.

To address the vulnerability, Cisco has released software updates. However, administrators need to be aware that releases 21.2.0 and later will automatically create new SSH keys during installation, but not during an upgrade. If a device is upgraded from 21.1.0, the keys should still be changed by using the following procedure:

Hardcoded credentials allow for unauthorized configuration changes

Another vulnerability disclosed by Cisco, affects the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT).

According to the company’s advisory: “Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions:

  • Log in with a default credential if the Telnet protocol is enabled
  • Perform command injection
  • Modify the configuration”

A remote attacker can exploit the flaw in the Telnet service of Cisco Catalyst PON Series Switches ONT to log in to the affected device by using a debugging account with a hardcoded password.

“A vulnerability in the Telnet service of Cisco Catalyst PON Series Switches ONT could allow an unauthenticated, remote attacker to log in to the affected device by using a debugging account that has a default, static password,” notes the advisory.

The Telnet service is not enabled by default and the issue could be exploited only on devices configured to allow Telnet connections.

Weak SSH key management creates increased risks

In traditional business settings, SSH keys and the SSH protocol are used to provide data encryption and allow IT administrators to manage systems and applications remotely, deliver software patches, or execute commands.

SSH keys have become increasingly popular because they help to automate access to servers, backup data, and configure systems. Their design allows for a cross-border authenticated connectivity, enabling users and administrators to take advantage of single sign-on functionality and move between accounts and applications without typing passwords.

The SSH protocol and keys have become a critical security component of digital transformation, enabling modern, cloud-based business seeking to enforce a strong access control strategy. These businesses can no longer base their authentication mechanisms on insecure, legacy passwords. Passwords can be easily compromised using known tactics, such as brute force attack or phishing campaigns.

If organizations mismanage their SSH keys, they could expose themselves to significant digital security risks, to include:

  • Unauthorized access to privileged accounts.
  • Undetected lateral movement of attackers by abusing persistent SSH trust relationships to their advantage.
  • Circumvented security controls to leverage legitimate connections for malicious actions
  • Unauthorized use of SSH server
Control your SSH keys

To defend against these risks, it is imperative that organizations properly manage and configure their SSH machine identities. Policies and procedures play a critical role in SSH security by establishing consistent baseline requirements across the diverse systems, and environments where SSH keys are deployed. The policies should clearly define roles and responsibilities to prevent misunderstandings that result in security lapses and to ensure accountability.

Venafi SSH Protect helps organizations safeguard enterprise SSH machine identities and the host-to-host connections they enable by discovering, protecting and automating their lifecycle. To learn more, download this data sheet or contact one of our experts.

Related posts

Like this blog? We think you will love this.
how ssh works
Featured Blog

How Secure Shell (SSH) Keys Work

How it works SSH is a type of network protocol that creates a cryptographically secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more