Cisco Virtual WSA, ESA, and SMA Default SSH Host Keys Vulnerability
2015-06-25T16:04:47
ID CISCO-SA-20150625-CVE-2015-4217 Type cisco Reporter Cisco Modified 2015-07-24T19:29:51
Description
A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances.
The vulnerability is due to the presence of default SSH host keys that are shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining one of the SSH private keys and using it to impersonate or decrypt communication between any WSAv, ESAv, or SMAv. An exploit could allow the attacker to decrypt and impersonate secure communication between any virtual content security appliances.
Cisco has confirmed the vulnerability in a security advisory and released software updates.
To exploit this vulnerability, an attacker must first stage a man-in-the-middle attack between the targeted device and the host. This requirement may increase the difficulty of a successful exploit.
A successful exploit of this vulnerability may allow the attacker to decrypt communication and access sensitive information, impersonate a targeted device and send modified data to a configured content appliance, or limit SSH access to any content appliance managed by the targeted device, which could be used to conduct further attacks.
Only virtual WSA, ESA, and SMA appliances are affected by this vulnerability. Cisco WSA, Cisco ESA, and Cisco Content Security Management Appliance are not affected by this vulnerability.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
{"id": "CISCO-SA-20150625-CVE-2015-4217", "hash": "73abc7bcaebb85708e44c49f65866902", "type": "cisco", "bulletinFamily": "software", "title": "Cisco Virtual WSA, ESA, and SMA Default SSH Host Keys Vulnerability", "description": "A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances. \n\nThe vulnerability is due to the presence of default SSH host keys that are shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining one of the SSH private keys and using it to impersonate or decrypt communication between any WSAv, ESAv, or SMAv. An exploit could allow the attacker to decrypt and impersonate secure communication between any virtual content security appliances.\n\nCisco has confirmed the vulnerability in a security advisory and released software updates.\n\nTo exploit this vulnerability, an attacker must first stage a man-in-the-middle attack between the targeted device and the host. This requirement may increase the difficulty of a successful exploit.\n\nA successful exploit of this vulnerability may allow the attacker to decrypt communication and access sensitive information, impersonate a targeted device and send modified data to a configured content appliance, or limit SSH access to any content appliance managed by the targeted device, which could be used to conduct further attacks.\n\nOnly virtual WSA, ESA, and SMA appliances are affected by this vulnerability. Cisco WSA, Cisco ESA, and Cisco Content Security Management Appliance are not affected by this vulnerability.\n\nCisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.", "published": "2015-06-25T16:04:47", "modified": "2015-07-24T19:29:51", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150625-CVE-2015-4217", "reporter": "Cisco", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150625-CVE-2015-4217"], "cvelist": ["CVE-2015-4217"], "lastseen": "2017-09-26T15:33:42", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-4217"]}, {"type": "nessus", "idList": ["CISCO_IRONPORT_DEFAULT_HOST_KEY.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105319"]}, {"type": "cisco", "idList": ["CISCO-SA-20150625-IRONPORT"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14551"]}], "modified": "2017-09-26T15:33:42"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "affectedSoftware": [{"version": "any", "operator": "eq", "name": "Cisco Identity Services Engine Software"}, {"version": "any", "operator": "eq", "name": "Cisco Content Security Management Virtual Appliance"}, {"version": "any", "operator": "eq", "name": "Cisco Email Security Virtual Appliance"}, {"version": "any", "operator": "eq", "name": "Cisco Web Security Virtual Appliance"}], "_object_type": "robots.models.cisco.CiscoBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"]}
{"cve": [{"lastseen": "2017-04-18T15:57:04", "bulletinFamily": "NVD", "description": "The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH host keys across different customers' installations, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a private key from another installation, aka Bug IDs CSCus29681, CSCuu95676, and CSCuu96601.", "modified": "2016-12-28T11:51:55", "published": "2015-06-26T06:59:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4217", "id": "CVE-2015-4217", "title": "CVE-2015-4217", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2019-01-16T20:21:50", "bulletinFamily": "scanner", "description": "The remote Cisco security appliance uses a default host key that is\nshared among all installations of the product. An unauthenticated,\nremote attacker with knowledge of the private key can impersonate\nother devices or perform a man-in-the-middle attack between this host\nand other virtual security appliances.", "modified": "2018-11-15T00:00:00", "published": "2015-07-02T00:00:00", "id": "CISCO_IRONPORT_DEFAULT_HOST_KEY.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84500", "title": "Cisco Ironport Security Appliance Default Host Key Vulnerability", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84500);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n script_cve_id(\"CVE-2015-4217\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus29681\");\n script_xref(name:\"IAVA\", value:\"2015-A-0136\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCuu95676\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCuu96601\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150625-ironport\");\n\n script_name(english:\"Cisco Ironport Security Appliance Default Host Key Vulnerability\");\n script_summary(english:\"Checks if the remote host responds with a known key.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote security appliance is missing a vendor-supplied patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Cisco security appliance uses a default host key that is\nshared among all installations of the product. An unauthenticated,\nremote attacker with knowledge of the private key can impersonate\nother devices or perform a man-in-the-middle attack between this host\nand other virtual security appliances.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fab9519e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant update referenced in Cisco Security Advisory\ncisco-sa-20150625-ironport.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:content_security_management_virtual_appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:email_security_virtual_appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:web_security_virtual_appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:asyncos\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_service(svc:'ssh', default:22, exit_on_fail:TRUE);\n\nhost_key = get_kb_item(\"SSH/publickey/ssh-rsa/\" + port);\nif (empty_or_null(host_key))\n host_key = get_kb_item(\"SSH/publickey/ssh-dsa/\" + port);\n\nif (empty_or_null(host_key))\n exit(0, \"Nessus was unable to obtain the host's key.\");\n\ndefault_keys = make_list(\n \"AAAAB3NzaC1yc2EAAAADAQABAAABAQCmkCwuBsBk12gtO2niJivv8bZncl44dOq09SyVuPbTL8RfoKona01g0cyfiwdnqBmBW7P2CA+5V3gq0/rGOfJ5TpElTLK/F8od8zF5K0mhSE20FPCbTVigR4m2xij/fKI8h+jJMbYPEV82yIIGGG+802Q7pGR0p4CU0a9yNqFNhr52egJNWVj98O3jM8vdFw1eTogEEa7zkQO/YF1EQ9V+q5U1le0DbZ5vmgFIt/7nOersnnszYMdywPPWRtIJJveI8hbhfC9HZ7CQIXWPiYv1rrjGBdDX4LonE4kIMU3CCf/a4DH+rX4FGtKYdxiPlJS2TxV8Nv1PcIovj/aYdYlf\",\n \"AAAAB3NzaC1yc2EAAAADAQABAAABAQCqz7uUNZKJDvXz44PeixU/bQsJ3pziZP0FpO1AS4ANvOJ7aOsWMfhzvXnimMsRfMVPARoHTn6Q5EsW2jkgWo0qa6/HMlhc/196zEmvnIrNuvYvQiwHzIAzm3MlhZLbWYGUtPl4L1pQUsn4GAKc9OYqyub6kYBeKvNj3N+kGpTs6oXHpmy4qC8LsNOHwVREPN3/6q4D3tqGkO+x0LKXoIXxB/bHgelPbCdRSxKOnizudu6Gjj5UVLGhDU1Oy1bfzbvzNQG7bFx0ueAL/2FVVplICcj5fTHm9yqUcl/3We6TgaFAtL/lPqGpI1y0UAEvfNpmDp+wAztZAOY6FRA03cPh\",\n \"AAAAB3NzaC1yc2EAAAADAQABAAABAQDG3Yd4tfLqaj+Cu7D0BgwnYsexDSlb+loUfPalvfGPgWjF+HQiorytLRKVEf8SBHRjMiXX901gKPSKfyFvoAzMHlR8LtO0c9B1SoDdenWgRiYzu1G1z4baEq2YOSpt8yLrVc27jrdR1gf0NAXxHXQTKT5YfpvjEuDr25azKGQAHIe+17U70ruwcPeBGO/RGQ+aHn58DGbO8GKRsxhTZjO13SdgmpDoCQbWvMzgAqEPZNJqbZy7PA/3wKtpu5yYTFKUSmkBfOvCrHmA+POXl+F2Brg2/S7J4kbivacfNDEn5rlGuiY/On6E2Zj3nkI5x5r1OCasuh9cLdx++2/2bAf/\"\n);\n\nvuln = FALSE;\nforeach default_key (default_keys)\n{\n if (default_key == host_key)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (vuln)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\nNessus was able to verify that the remote host uses the following' +\n '\\ndefault SSH public key :' +\n '\\n Key : ' + host_key +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2019-02-11T16:37:08", "bulletinFamily": "scanner", "description": "Multiple Cisco products are prone to a security-bypass vulnerability.", "modified": "2019-02-11T00:00:00", "published": "2015-08-14T00:00:00", "id": "OPENVAS:1361412562310105319", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105319", "title": "Multiple Cisco Products Default SSH Host Keys Security Bypass Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_multiple_cisco_default_ssh_host_key_75418.nasl 13568 2019-02-11 10:22:27Z cfischer $\n#\n# Multiple Cisco Products Default SSH Host Keys Security Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105319\");\n script_bugtraq_id(75418);\n script_cve_id(\"CVE-2015-4217\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_version(\"$Revision: 13568 $\");\n\n script_name(\"Multiple Cisco Products Default SSH Host Keys Security Bypass Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/75418\");\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to bypass security restrictions and\n perform unauthorized actions. This may aid in further attacks.\");\n\n script_tag(name:\"vuldetect\", value:\"Check the remote ssh host keys.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability is due to the presence of default SSH host keys that are shared across all the installations of WSAv,\n ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining one of the SSH private keys and using it to impersonate or decrypt communication\n between any WSAv, ESAv, or SMAv. An exploit could allow the attacker to decrypt and impersonate secure communication between any virtual content security appliances.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the vendor advisory for more information.\");\n script_tag(name:\"summary\", value:\"Multiple Cisco products are prone to a security-bypass vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv) are affected.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-11 11:22:27 +0100 (Mon, 11 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-14 13:28:44 +0200 (Fri, 14 Aug 2015)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"ssh_detect.nasl\", \"ssh_proto_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"ssh/server_banner/available\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\n\nport = get_ssh_port(default:22);\n\nfingerprint = get_kb_item(\"SSH/\" + port + \"/fingerprint/ssh-rsa\");\nif( ! fingerprint )\n exit( 0 );\n\nknown_fingerprints = make_list( \"5e:78:99:f3:11:89:c2:60:ac:63:53:8f:48:d6:8f:a3\",\n \"f0:67:d0:64:b5:56:b8:8e:f9:4a:c3:c9:5d:a4:2a:21\",\n \"52:f5:c2:f1:b0:7f:dc:bb:eb:70:92:70:be:ed:a5:ee\"\n );\n\nforeach kf ( known_fingerprints )\n{\n if( kf == fingerprint )\n {\n report = 'The remote host is using the following default SSH host key: ' + fingerprint + '\\n';\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 0 );", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:01", "bulletinFamily": "software", "description": "Default ssh keys are installed.", "modified": "2015-06-29T00:00:00", "published": "2015-06-29T00:00:00", "id": "SECURITYVULNS:VULN:14551", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14551", "title": "Cisco Virtual WSA / ESA / SMA default keys", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cisco": [{"lastseen": "2017-09-26T15:33:42", "bulletinFamily": "software", "description": "A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.\n\nThe vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user.\n\nA vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances. \n\nThe vulnerability is due to the presence of default SSH host keys that are shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining one of the SSH private keys and using it to impersonate or decrypt communication between any WSAv, ESAv, or SMAv. An exploit could allow the attacker to decrypt and impersonate secure communication between any virtual content security appliances.\n\nCisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv) are affected by the following vulnerabilities:\n\n Cisco Virtual WSA, ESA, and SMA Default Authorized SSH Key Vulnerability\n Cisco Virtual WSA, ESA, and SMA Default SSH Host Keys Vulnerability\n\nCisco has released software updates that address these vulnerabilities. \n\nThere are no workarounds for these vulnerabilities.\n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport\"]", "modified": "2015-06-25T15:32:26", "published": "2015-06-25T16:00:00", "id": "CISCO-SA-20150625-IRONPORT", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport", "type": "cisco", "title": "Multiple Default SSH Keys Vulnerabilities in Cisco Virtual WSA, ESA, and SMA", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}