Cisco has released patches to address several vulnerabilities affecting the IOS and IOS XE software running on many of the company’s routers and switches.
The most serious of the security issues fixed by Cisco is a vulnerability in the IOS and IOS XE software implementation of the SSH version 2 protocol. The flaw (CVE-2015-6280) can be exploited by a remote, unauthenticated attacker to bypass user authentication.
“The vulnerability is due to a flaw in the implementation of the SSHv2 public key authentication method, also known as Rivest, Shamir, and Adleman (RSA)-based user authentication,” Cisco said in an advisory. “An attacker could exploit this vulnerability by authenticating to an affected system configured for SSHv2 RSA-based user authentication using a crafted private key. The attacker must know a valid username configured for RSA-based user authentication and the public key configured for that user to exploit this vulnerability.”
While the vulnerability cannot be exploited to elevate privileges, a malicious actor could obtain administrative privileges on the system, depending on the configuration of the targeted user’s account and the Virtual Teletype (VTY) line.
As Daniel Wesemann of the SANS Institute’s Internet Storm Center has pointed out, it’s unclear how an attacker can craft a private key. Creating a private key based on a known public key should not be possible since that would make most of the common Internet crypto protocols invalid, Wesemann noted.
Others have suggested it might have something to do with a bad pseudorandom number generator (PRNG).
According to Cisco, the vulnerability affects devices running IOS and IOS XE if SSHv2 access is configured with RSA-based user authentication and at least one user is configured with a public key. Devices running IOS XR and NX-OS are not impacted.
Mathias Seiler from MiroNet AG has been credited for reporting the flaw. Cisco says it’s not aware of attacks exploiting this weakness.
This is not the first time Cisco has reported finding weaknesses related to SSH keys. In June, the company revealed the existence of default encryption keys in three of its security products.
Cisco IOS and IOS XE are also plagued by two denial-of-service (DoS) vulnerabilities affecting devices where the IPv6 snooping feature from the first-hop security mechanisms is configured. One of the flaws is caused by insufficient validation of IPv6 ND packets that use the Cryptographically Generated Address (CGA) option (CVE-2015-6279), while the other bug is related to insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets (CVE-2015-6278).
Both security holes can be exploited by a remote, unauthenticated attacker to cause vulnerable devices to reload, Cisco said.
A third advisory published by Cisco on Wednesday details a different DoS flaw (CVE-2015-6282) related to the processing of IPv4 packets when Multiprotocol Label Switching (MPLS) and Network Address Translation (NAT) is required.
The networking giant says the vulnerability impacts IOS XE software running on ASR 1000 series, ISR 4300 and 4400 series, and Cloud Services 1000v series routers.
Since there are no workarounds for either of these security holes, Cisco advises customers to apply the software updates as soon as possible. The DoS vulnerabilities have been identified during internal testing and the company is not aware of in-the-wild exploitation.
While most of the vulnerabilities plaguing Cisco routers have not been exploited by malicious actors, such devices have been targeted. Researchers reported earlier this month that they had identified hundreds of Cisco routers on which malicious actors had replaced the legitimate firmware with a rogue version that gave them persistent access to the targeted network. In these attacks, leveraging a router implant dubbed “SYNful Knock,” attackers haven’t exploited any vulnerabilities, but instead used stolen credentials and a legitimate feature available to administrators.
