Cisco has released security updates to address a high severity vulnerability in the Cisco Umbrella Virtual Appliance (VA), allowing unauthenticated attackers to steal admin credentials remotely. Fraser Hess of Pinnacol Assurance found the flaw (tracked as CVE-2022-20773) in the key-based SSH authentication mechanism of Cisco Umbrella VA. Cisco Umbrella, a cloud-delivered security service used by over 24,000 organizations as DNS‑layer security against phishing, malware, and ransomware attacks, uses these on-premises virtual machines as conditional DNS forwarders that record, encrypt, and authenticate DNS data. “This vulnerability is due to the presence of a static SSH host key. Cisco explained that an attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA,” Cisco explained. “A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA.” The vulnerability impacts the Cisco Umbrella VA for Hyper-V and VMWare ESXi running software versions earlier than 3.3.2. Luckily, Cisco says that the SSH service is not enabled by default on Umbrella on-premises virtual machines, significantly lowering the vulnerability’s overall impact. The Cisco Product Security Incident Response Team (PSIRT) also said that there is no public proof-of-concept exploit code available online for this vulnerability and added that it’s not aware of any ongoing exploitation in the wild.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is