Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Flaw in Cisco Products Exposes Users to MitM Attacks

Cisco has published an advisory to warn customers about a man-in-the-middle (MitM) vulnerability affecting over two dozen of the company’s products.

Cisco has published an advisory to warn customers about a man-in-the-middle (MitM) vulnerability affecting over two dozen of the company’s products.

IT security consultancy SEC Consult published a report this week on how the reuse of HTTPS certificates and SSH keys exposes millions of devices to attacks. An analysis of over 4,000 firmware images from the products of more than 70 vendors revealed that Internet of Things (IoT) devices such as gateways, routers, modems, VoIP phones and IP cameras include hardcoded SSH host keys and X.509 certificates.

Researchers uncovered a total of 580 unique private keys, 230 of which are used by more than 4 million hosts, including many that can be remotely accessed from the Internet. SEC Consult has warned that malicious actors can leverage these cryptographic secrets for impersonation, MitM and passive decryption attacks.

There is a long list of affected vendors, including Alcatel-Lucent, Cisco, D-Link, Deutsche Telekom, Edimax, Huawei, Linksys, Motorola, Netgear, Philips, Seagate, TP-Link, TRENDnet, Tenda, Unify, Ubiquiti Networks, Vodafone, WD, ZTE and ZyXEL. Impacted firms have been notified by CERT/CC and some of them have started rolling out fixes or providing mitigation advice.

CVE identifiers have so far been assigned for Cisco (CVE-2015-6358), ZTE (CVE-2015-7255), ZyXEL (CVE-2015-7256), Technicolor (CVE-2015-7276) and Unify (CVE-2015-8251). Cisco has published an advisory containing vulnerability details and a list of impacted products.

The list of affected Cisco products includes routers, wireless access points, IP cameras, gateways and firewalls. The company has yet to release software updates that address the vulnerability and since there are no workarounds, customers have been advised to restrict SSH and HTTPS access to known IP addresses.

“A vulnerability in the cryptographic implementation of multiple Cisco products could allow an unauthenticated, remote attacker to make use of hard-coded certificate and keys embedded within the firmware of the affected device,” Cisco wrote in its advisory. “The vulnerability is due to the lack of unique key and certificate generation within affected appliances. An attacker could exploit this vulnerability by using the static information to conduct man-in-the-middle attacks to decrypt confidential information on user connections.”

Cisco says there is no evidence that the vulnerability has been exploited for malicious purposes. The company has classified the flaw as a medium severity issue and pointed out that it cannot be exploited to compromise the device itself. Furthermore, the company noted that an attacker needs to obtain not only the public/private key pair, but also a privileged position on the target’s network.

SEC Consult’s report revealed that more than 26,000 Cisco devices provided by Australian ISP Telstra to its customers are exposed to remote access via SSH.

The number of devices exposed by other ISPs in much higher. For example, US-based CenturyLink has more than a half million affected devices, while Mexico’s TELMEX exposes over a million Huawei modems.

This is not the first time experts have found Cisco products that put customers at risk due to default cryptographic keys. In July 2014, the company warned users about the existence of default SSH private keys in Cisco Unified Communications Domain Manager, and this year in June users were informed of default SSH keys in Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) products.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).