Currently, administrators of Cisco environments are creating three vulnerabilities. These are the vulnerabilities CVE-2022-20732 in the Virtualized Infrastructure Manager, CVE-2022-20773 in the Umbrella Virtual Appliance and CVE-2022-20783 in the TelePresence Collaboration Endpoint and in the RoomOS Software H.323. All are closed with the patches provided by Cisco. The vulnerability in the Umbrella Virtual Appliance is particularly interesting because it would have allowed attackers to exploit the static SSH keys for a man-in-the-middle attack.
Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi
“Cisco was lucky that this vulnerability was discovered by a researcher and not by an attacker, otherwise this would have been a very serious zero-day vulnerability,” says Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi . “And on top of that, maybe also payday for a threat actor capable of developing an exploit. Of particular concern is the fact that this vulnerability allows for administrator–level compromise – the holy grail for attackers. This type of access allows the attacker to extend his rights, install backdoors in systems, exfiltrate large amounts of data unnoticed, and basically enter and leave any device and system without being questioned.
Cisco is currently having problems with its SSH keys for the second time. So the company really needs to take a closer look at how it manages these critical machine identities – otherwise, it may not be so lucky next time. However, Cisco is not alone. SSH keys are incredibly powerful machine identities and are used everywhere, but they are also poorly understood and managed, which makes them a favorite target for attackers.
To make matters worse, they are very durable. Unlike other machine identities like TLS, they don’t expire. This means that a compromised identity can be abused for months, if not years, without an organization knowing about it. Given the high level of privileges granted to them, this is a very serious gap in organizational security.
However, it can be seen that companies have recognized the problem. We are observing the trend of companies replacing SSH keys with SSH certificates that contain an expiration period. In addition, companies must have an overview of all their machine identities. IT security professionals must be able to set and enforce policies that automate the rotation of machine identities that may leave them unprotected. With the large number of machine identities that are present in companies today, automation is an absolute must for every company that takes the issue of machine identities seriously.”