American networking giant Cisco has released a patch (opens in new tab) that prevents threat actors from remotely stealing credentials from Umbrella Virtual Appliance (VA) administrators.
According to a security advisory published by the firm, the flaw was discovered by Pinnacol Assurance in the key-based SSH authentication mechanism.
The flaw, now tracked as CVE-2022-20773, can be leveraged by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA.
"A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA," said Cisco.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
No real-life examples
The flaw is present in Cisco Umbrella VA for Hyper-V and VMWare ESXi on versions older than 3.3.2. There are no workarounds or mitigations, so the only way to address the issue is to install the patch.
Thankfully, Cisco has found no evidence of anyone abusing the flaw in the wild. The company also said that the SSH service is not enabled by default on Umbrella on-prem VAs, which lowers the chances of the flaw being abused.
Those unsure if SSH is enabled in their VAs should log into the hypervisor console, navigate to the configuration mode (CTRL+B), and run config via show command. If SSH is indeed enabled, the command output should include “SSH access : enabled” at the end.
Cisco Umbrella is a cloud-delivered security service, protecting more than 24,000 clients against a wide variety of malware, ransomware and phishing attacks.
Late last year, the company patched two high-severity flaws in the Catalyst PON Series Switches Optical Network Terminals, which would have allowed for unauthorized root access to endpoints (opens in new tab).
The two vulnerabilities are tracked as CVE-2021-34795 and CVE-2021-40113, with the former described as an "unintentional debugging credential".
Whoever held the hidden credentials could get root access to the passive optical network switches, but to do that, the device needed to have Telnet support enabled, something that's usually off by default.
- Keep tabs on your devices with the best firewalls around (opens in new tab)