Cisco warns of new bug that could let hackers run off with admin credentials

cisco logo
(Image credit: Shutterstock / Ken Wolter)

American networking giant Cisco has released a patch that prevents threat actors from remotely stealing credentials from Umbrella Virtual Appliance (VA) administrators. 

According to a security advisory published by the firm, the flaw was discovered by Pinnacol Assurance in the key-based SSH authentication mechanism.

The flaw, now tracked as CVE-2022-20773, can be leveraged by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. 

"A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA," said Cisco.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

No real-life examples

The flaw is present in Cisco Umbrella VA for Hyper-V and VMWare ESXi on versions older than 3.3.2. There are no workarounds or mitigations, so the only way to address the issue is to install the patch.

Thankfully, Cisco has found no evidence of anyone abusing the flaw in the wild. The company also said that the SSH service is not enabled by default on Umbrella on-prem VAs, which lowers the chances of the flaw being abused.

Those unsure if SSH is enabled in their VAs should log into the hypervisor console, navigate to the configuration mode (CTRL+B), and run config via show command. If SSH is indeed enabled, the command output should include “SSH access : enabled” at the end.

Cisco Umbrella is a cloud-delivered security service, protecting more than 24,000 clients against a wide variety of malware, ransomware and phishing attacks. 

Late last year, the company patched two high-severity flaws in the Catalyst PON Series Switches Optical Network Terminals, which would have allowed for unauthorized root access to endpoints.

The two vulnerabilities are tracked as CVE-2021-34795 and CVE-2021-40113, with the former described as an "unintentional debugging credential".

Whoever held the hidden credentials could get root access to the passive optical network switches, but to do that, the device needed to have Telnet support enabled, something that's usually off by default.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.