Overview
Cisco has announced a new update on Thursday (November 04, 2021) to address a critical static SSH keys vulnerability (CVE-2021-40119) that exists in Cisco Policy Suite. Cisco Policy Suite products with vulnerable versions should be updated immediately, as the vulnerability allows unauthenticated remote attackers to log in to affected systems as the root user.
Description
Cisco has released a new version (21.2.0) for Cisco Policy Suite to address a critical static SSH keys vulnerability (CVE-2021-40119) that allows unauthenticated remote attackers to log in to affected systems as the root user. The vulnerability stems from the reuse of static SSH keys across installations. In other words, to exploit the vulnerability, attackers could extract a key from a system under their control and reuse the extracted key to log in to other affected products as the root user.
This vulnerability only affects Cisco Policy Suite products with versions prior to 21.2.0. Note that, if older versions of the Cisco Policy Suite are upgraded to version 21.2.0, default SSH keys still need to be changed manually. However, new installations of the Cisco Policy Suite are not susceptible to this vulnerability.
Impact
An unauthenticated remote attacker who successfully exploit the static SSH key vulnerability (CVE-2021-40119) could gain unauthorized access on the affected systems with root privileges.
Impact Summary CVE-2021-40119
Category: Reuse of Static Keys
CVSS 3.1 Base Score: 9.8 Critical
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Solution (Update)
To defend against possible attacks due to these vulnerabilities, the following actions need to be taken, as advised by Cisco.
- Cisco Policy Suite releases earlier than 20.2.0 should be upgraded to 21.1.0.
- Technical Assistance Center (TAC) should be contacted to get a patch installed for Cisco Policy Suite version 20.2.0.
- Default SSH keys should be changed in Cisco Policy Suite version 21.1.0.
- Releases 21.2.0 and later are not vulnerable in new installations of the product. However, if a product is upgraded from 21.1.0j, the keys should still be changed according to the procedure described below.
Procedure for Changing the Default SSH Keys
Step 1. Generate new keys by executing the following command on the Cluster Manager:
/var/qps/install/current/scripts/bin/support/manage_sshkey.sh --create
Step 2. Update the keys:
/var/qps/install/current/scripts/bin/support/manage_sshkey.sh --update
As we’ve come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.
Art Wittmann
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Cisco Security Advisories (Cisco Policy Suite Static SSH Keys Vulnerability)
- NVD (CVE-2021-40119)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
