Cisco has released a security update addressing a high severity vulnerability in the Cisco Umbrella Virtual Appliance (VA), revealing that an unauthenticated attacker can remotely steal administrator credentials.
Fraser Hess of Pinnacol Assurance discovered this flaw (tracked as CVE-2022-20773) in the Cisco Umbrella VA’s key-based SSH authentication mechanism.
Cisco Umbrella is a cloud-based security service used by more than 24,000 organizations for DNS security service against phishing, malware, ransomware and other attacks, using these on-premise virtual machines as DNS data recorders, encryptors and authenticators.
These on-premise virtual machines are used as conditional DNS forwarders that record, encrypt, and authenticate DNS data.
This vulnerability is on a static SSH host key and it allows an attacker to exploit it by doing a man-in-the-middle attack against SSH connections to the Umbrella VA.
If successful, the attacker can get the credentials of the administrator, change the configuration, and reload the VA.
This vulnerability affects Cisco Umbrella VA for Hyper-V and VMWare ESXi running software versions prior to 3.3.2.
No effect on Umbrella VA default settings
Cisco said that the SSH service is not enabled by default on Umbrella on-premise virtual machines, thus greatly reduces the overall impact of this vulnerability.
To check if SSH is enabled on the Cisco Umbrella Virtual Appliance, you need to log in to the hypervisor console, press CTRL+B to enter configuration mode, and run the “config va show” command to check the VA configuration.
In systems where SSH is enabled, the line “SSH access : enabled” should be included at the end of the command output.
There is no workaround or mitigation for this security flaw, thus Cisco recommends that users upgrade to the fixed software release version.