Cisco has issued security upgrades to address a critical vulnerability in the Cisco Umbrella Virtual Appliance (VA), allowing unauthenticated attackers to obtain admin credentials remotely. The bug was discovered by Fraser Hess of Pinnacol Assurance in Cisco Umbrella VA‘s key-based SSH authentication method (recorded as CVE-2022-20773).
These on-premise virtual machines are employed as conditional DNS forwarders that encrypt, record, and authenticate DNS data by Cisco Umbrella, a cloud-delivered security solution used by over 24,000 businesses as DNS-layer security against malware, phishing, and ransomware threats. The flaw affects the Cisco Umbrella VA for Hyper-V and VMWare ESXi running software variants prior to 3.3.2.
“This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA,” Cisco explained. “A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA.”
Fortunately, Cisco claims that the SSH service is disabled by default on Umbrella on-premise virtual machines, reducing the total effect of the issue. To see if SSH is enabled in your Cisco Umbrella Virtual Appliances, connect to the hypervisor console, press CTRL+B to enter configuration mode, then use the config VA show command to inspect the VA’s settings. The command output should contain an “SSH access: enabled” line at the end on systems with SSH enabled.
This security issue has no fixes or mitigations available. As a result, Cisco recommends that clients upgrade to a corrected software release. The Cisco Product Security Incident Response Team (PSIRT) also said that no public proof-of-concept attack code for this weakness is accessible online, and it is unaware of any active exploitation in the wild.
Cisco also patched a severe severity problem (CVE-2021-40119) triggered by default SSH keys in Cisco Policy Suite’s key-based SSH authentication method in November, which may allow unauthenticated and remote attackers to log in as the root user. On the same day, Cisco patched a second major weakness in the Telnet service of Cisco Catalyst PON Series Switches ONT (CVE-2021-34795), allowing unauthenticated attackers to log in remotely with the help of a debugging account using a default password.