A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances.
The vulnerability is due to the presence of default SSH host keys that are shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining one of the SSH private keys and using it to impersonate or decrypt communication between any WSAv, ESAv, or SMAv. An exploit could allow the attacker to decrypt and impersonate secure communication between any virtual content security appliances.
Cisco has confirmed the vulnerability in a security advisory and released software updates.
To exploit this vulnerability, an attacker must first stage a man-in-the-middle attack between the targeted device and the host. This requirement may increase the difficulty of a successful exploit.
A successful exploit of this vulnerability may allow the attacker to decrypt communication and access sensitive information, impersonate a targeted device and send modified data to a configured content appliance, or limit SSH access to any content appliance managed by the targeted device, which could be used to conduct further attacks.
Only virtual WSA, ESA, and SMA appliances are affected by this vulnerability. Cisco WSA, Cisco ESA, and Cisco Content Security Management Appliance are not affected by this vulnerability.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.