Critical Vulnerability in Cisco Policy Suite Exposes Hardcoded SSH Key, Allowing Remote Root Access

November 5, 2021

Cisco Systems has issued security updates to rectify vulnerabilities in several Cisco products that could enable attackers to log in as root users, gaining control over compromised systems. The vulnerability, identified as CVE-2021-40119, has been assigned a critical severity rating of 9.8 out of 10 on the CVSS scale and originates from flaws in the SSH authentication mechanism of Cisco Policy Suite. According to Cisco’s advisory, “An attacker could exploit this vulnerability by connecting to an affected device via SSH,” warning that a successful exploit could provide the attacker with root access. The issue was uncovered during internal security assessments. Future releases of Cisco Policy Suite (21.2.0 and beyond) will automatically generate new SSH keys upon installation, although devices upgrading from version 21.1.0 will still require a manual process to replace the default SSH keys.

Hardcoded SSH Key in Cisco Policy Suite Exposes Systems to Remote Root Access Vulnerability

On November 5, 2021, Cisco Systems disclosed critical security updates aimed at addressing significant vulnerabilities across several of its products. One of the foremost issues identified is linked to a hardcoded SSH key within the Cisco Policy Suite, which poses a serious threat that could enable remote hackers to log in as root users and seize control of affected systems. This vulnerability has been assigned the identifier CVE-2021-40119 and carries a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), highlighting the urgent need for remediation.

The vulnerability arises from weaknesses in the SSH authentication process, which can be exploited by a remote attacker with access to an affected device. Cisco’s advisory elaborates on the scope of the risk, stating that exploitation of this flaw would permit an unauthorized individual to gain root access to the system. This issue was uncovered during the company’s internal security assessments, emphasizing the importance of rigorous testing protocols in securing network infrastructures.

As part of its response, Cisco has introduced version 21.2.0 of the Policy Suite, which includes provisions for automatically generating new SSH keys upon installation. However, organizations upgrading from version 21.1.0 will still need to manually adjust the default SSH keys, which complicates the patching process and may leave systems vulnerable if not correctly configured. This highlights ongoing challenges within the management of cybersecurity protocols, particularly in relation to legacy systems.

The implications of this vulnerability are broad, affecting numerous sectors where Cisco’s technologies are deployed, and the targeting is particularly relevant within the US, where many businesses rely on Cisco equipment for secure networking. Cyber threat actors could employ various tactics as outlined by the MITRE ATT&CK framework to exploit this weakness.

Initial access could be achieved through compromised SSH connections, followed by persistence tactics designed to maintain access to the system post-exploitation. Furthermore, privilege escalation techniques could be leveraged to obtain higher levels of access, enabling attackers to manipulate systems or extract sensitive information.

Organizations are now placed in a position where they must not only apply the patches provided by Cisco but also conduct thorough audits of their systems to ensure no lingering vulnerabilities remain. As the cybersecurity landscape continues to evolve, the recent findings underscore the critical need for heightened vigilance in safeguarding network infrastructures against emerging threats. Business owners must recognize the importance of adopting robust security protocols to mitigate risks associated with such vulnerabilities.

As cyber threats grow increasingly sophisticated, ongoing education and awareness in the realm of cybersecurity will be pivotal for businesses aiming to protect their digital assets and maintain operational integrity.

Source link

Related Posts

Experts Uncover Malicious Code Exploiting Vulnerability in ManageEngine ADSelfService

On November 8, 2021, it was revealed that at least nine organizations in the technology, defense, healthcare, energy, and education sectors were compromised due to a recently patched critical vulnerability in Zoho’s ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution. This surveillance campaign, which began on September 22, 2021, saw attackers exploiting the flaw to gain initial access, subsequently moving laterally within the networks to conduct post-exploitation activities. They deployed malicious tools designed to harvest credentials and exfiltrate sensitive data through a backdoor. “The attackers relied heavily on the Godzilla web shell, uploading various versions of this open-source tool to the compromised servers throughout the operation,” reported researchers from Palo Alto Networks’ Unit 42 threat intelligence team. “Several other tools exhibited unique characteristics or functionalities…”

Unresolved Unauthorized File Read Vulnerability Impacts Microsoft Windows OS

On November 30, 2021, it was reported that unofficial patches have been released to address a poorly patched Windows security flaw which poses risks for information disclosure and local privilege escalation (LPE) on affected systems. Identified as CVE-2021-24084 (CVSS score: 5.5), this vulnerability is linked to the Windows Mobile Device Management component, potentially allowing attackers to gain unauthorized access to the file system and read arbitrary files. Security researcher Abdelhamid Naceri discovered and reported the issue in October 2020, leading Microsoft to include it in their February 2021 Patch Tuesday updates. However, as noted by Naceri in June 2021, the patch can be bypassed, and it has also been found that the inadequately addressed vulnerability enables attackers to gain administrator privileges and execute malicious code on Windows 10 systems.

Serious Security Vulnerability Discovered in Multiple HP Printer Models

On November 30, 2021, cybersecurity experts revealed significant security weaknesses affecting 150 different multifunction printers from HP Inc. These flaws, which have been present for eight years, can be exploited by attackers to gain control of vulnerable devices, steal sensitive information, and infiltrate enterprise networks to execute further attacks.

The two vulnerabilities, termed Printing Shellz, were uncovered by F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev and reported to HP on April 29, 2021. As a result, HP released patches earlier this month addressing the issues:

  • CVE-2021-39237 (CVSS Score: 7.1): An information disclosure vulnerability affecting specific HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.

  • CVE-2021-39238 (CVSS Score: 9.3): A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.

Further details on the vulnerabilities are currently under review.

CISA Issues Warning on Exploited Critical Vulnerability in Zoho ManageEngine ServiceDesk

On December 3, 2021, the FBI and CISA alerted the public about active exploitation of a newly patched vulnerability in Zoho’s ManageEngine ServiceDesk Plus. Identified as CVE-2021-44077 (CVSS score: 9.8), this flaw enables unauthenticated remote code execution in versions up to 11305. If unaddressed, it allows attackers to upload executable files and establish web shells for further malicious activities, such as compromising admin credentials, lateral movement, and exfiltrating sensitive information like registry hives and Active Directory files. Zoho also highlighted that a security misconfiguration in ServiceDesk Plus was the root cause of this issue.