Hard-coded Key-based SSH Authentication Flaw in Cisco Policy Suite Lets Hackers Gain Root Access

In different Cisco products to inscribe vulnerabilities, Cisco Systems has recently published some security updates. As in Cisco Policy Suite hard-coded key-based SSH authentication flaw has been detected that enables hackers to gain root access on vulnerable systems remotely.

The initial flaw has been fixed by the IT giant, and it has been tracked as CVE-2021-34795, and this flaw has affected the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT).  

However, this type of vulnerability generally occurs due to a weakness in the SSH subsystem of an affected system. And the threat actors could easily exploit this vulnerability by just relating to an attacked device through SSH.

Flaw profile

  • CVE ID: CVE-2021-40119
  • Description: Cisco Policy Suite Static SSH Keys Vulnerability
  • Advisory ID: cisco-sa-cps-static-key-JmS92hNv
  • First Published: 2021 November 3 16:00 GMT
  • Last Updated: 2021 November 4 17:32 GMT
  • Version 1.1: Final
  • Workarounds: No workarounds available
  • Cisco Bug IDs: CSCvw24544
  • CVSS Score: 9.8

Cisco stated:-

“An attacker could exploit this vulnerability by connecting to an affected device through SSH. A successful exploit could allow the attacker to log in to an affected system as the root user.”

Affected Catalyst PON switches

Here is the list of all the affected Catalyst PON switches:-

  • Catalyst PON Switch CGP-ONT-1P
  • Catalyst PON Switch CGP-ONT-4P
  • Catalyst PON Switch CGP-ONT-4PV
  • Catalyst PON Switch CGP-ONT-4PVC
  • Catalyst PON Switch CGP-ONT-4TVCW

Unaffected Catalyst PON Switch

Here is the list of all the unaffected Catalyst PON Switch:-

  • Catalyst PON Switch CGP-OLT-8T
  • Catalyst PON Switch CGP-OLT-16T

Fixed Releases

After investigating the attack, the security experts stated that all the customers are suggested to take proper steps, thus we have mentioned a table below that indicates all the steps:

There is another point that helps in fixing the flaw, which is changing the default SSH keys. However, to generate the SSH keys there are two steps that are:-

  • Step 1 : To generate new keys, simply execute the following command on installer VM (Cluster Manager):

/var/qps/install/current/scripts/bin/support/manage_sshkey.sh –create

  • Step 2 : Update keys on CPS VMs and installer VM (Cluster Manager):

/var/qps/install/current/scripts/bin/support/manage_sshkey.sh –update

Cisco’s Product Security Incident Response Team (PSIRT) is not conscious of the attacks that are exploiting in the wild. However, the experts suggested all the customers keep themselves updated time-to-time.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.