Static SSH Keys Vulnerability in Cisco Policy Suite (CVE-2021-40119)

Static SSH Keys Vulnerability in Cisco Policy Suite (CVE-2021-40119)

Cisco has announced a new update to address a critical vulnerability (CVE-2021-40119) that exists in Cisco Policy Suite.

Overview

Cisco has announced a new update on Thursday (November 04, 2021) to address a critical static SSH keys vulnerability (CVE-2021-40119) that exists in Cisco Policy Suite. Cisco Policy Suite products with vulnerable versions should be updated immediately, as the vulnerability allows unauthenticated remote attackers to log in to affected systems as the root user.

Description

Cisco has released a new version (21.2.0) for Cisco Policy Suite to address a critical static SSH keys vulnerability (CVE-2021-40119) that allows unauthenticated remote attackers to log in to affected systems as the root user. The vulnerability stems from the reuse of static SSH keys across installations. In other words, to exploit the vulnerability, attackers could extract a key from a system under their control and reuse the extracted key to log in to other affected products as the root user.

This vulnerability only affects Cisco Policy Suite products with versions prior to 21.2.0. Note that, if older versions of the Cisco Policy Suite are upgraded to version 21.2.0, default SSH keys still need to be changed manually. However, new installations of the Cisco Policy Suite are not susceptible to this vulnerability.

Impact

An unauthenticated remote attacker who successfully exploit the static SSH key vulnerability (CVE-2021-40119) could gain unauthorized access on the affected systems with root privileges.

Impact Summary CVE-2021-40119

Category: Reuse of Static Keys
CVSS 3.1 Base Score: 9.8 Critical
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Solution (Update)

To defend against possible attacks due to these vulnerabilities, the following actions need to be taken, as advised by Cisco.

  • Cisco Policy Suite releases earlier than 20.2.0 should be upgraded to 21.1.0.
  • Technical Assistance Center (TAC) should be contacted to get a patch installed for Cisco Policy Suite version 20.2.0.
  • Default SSH keys should be changed in Cisco Policy Suite version 21.1.0.
  • Releases 21.2.0 and later are not vulnerable in new installations of the product. However, if a product is upgraded from 21.1.0j, the keys should still be changed according to the procedure described below.

Procedure for Changing the Default SSH Keys

Step 1. Generate new keys by executing the following command on the Cluster Manager:

/var/qps/install/current/scripts/bin/support/manage_sshkey.sh --create

Step 2. Update the keys:

/var/qps/install/current/scripts/bin/support/manage_sshkey.sh --update
Quote by Art Wittmann
Quote by Art Wittmann

As we’ve come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.

Art Wittmann

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?