Cisco warns of new bug that could let hackers run off with admin credentials

US networking giant Cisco has released a patch that prevents hackers from stealing Umbrella Virtual Appliance (VA) administrator credentials remotely.

According to a security advisory published by the firm, the flaw was discovered by Pinnacol Assurance in the key-based SSH authentication mechanism.

The flaw, now identified as CVE-2022-20773, can be exploited by performing a man-in-the-middle attack on an SSH connection to Umbrella VA.

“A successful exploit could allow the attacker to learn administrator credentials, change configurations, or reload the VA,” Cisco said.

No concrete examples

The flaw is present in Cisco Umbrella VA for Hyper-V and VMWare ESXi on versions prior to 3.3.2. There are no workarounds or mitigations, so the only way to fix the problem is to install the patch.

Fortunately, Cisco has found no evidence that anyone is abusing the flaw in the wild. The company also said that the SSH service is not enabled by default on on-premises Umbrella VAs, which reduces the risk of abuse of the flaw.

Those who are unsure if SSH is enabled in their VAs should log into the hypervisor console, enter configuration mode (CTRL+B), and run the configuration via the show command. If SSH is indeed enabled, the command output should include “SSH Access: Enabled” at the end.

Cisco Umbrella is a cloud-delivered security service, protecting more than 24,000 customers against a wide variety of malware, ransomware, and phishing attacks.

Late last year, the company patched two very serious flaws in the optical network terminals of the Catalyst PON series switches, which allegedly allowed unauthorized root access to the endpoints.

See also  RTX 3090 Ti Founders Edition leak shows Nvidia’s future GPU plans aren't pretty

Both vulnerabilities are tracked as CVE-2021-34795 and CVE-2021-40113, with the former being described as an “inadvertent debug identifier”.

Whoever held the hidden credentials could gain root access to passive optical network switches, but to do so the device had to have Telnet support enabled, which is usually disabled by default.

Leave a Comment