CVE-2021-40119: Cisco Policy Suite Static SSH Keys Vulnerability Alert

Cisco issued a security bulletin explaining the recently discovered and fixed security vulnerabilities. According to the bulletin, Cisco used hard-coded debugging accounts in some devices.

The so-called hard-coded debugging account refers to the account and password directly written in the firmware, so anyone who finds this account and password can directly log in to the device.

And this type of debugging account usually has extremely high permissions and can be used to do anything. Companies using Cisco equipment are advised to check the security bulletin to fix the vulnerabilities as soon as possible.

In addition to hard-coded debugging accounts, Cisco also has supporting software that reuses static SSH keys. Attackers can extract the keys from the control system to launch attacks.

The hard-coded debugging account issue affects the optical network terminals of the Cisco Catalyst PON Series Switches Optical Network Terminal. The vulnerability may cause serious security impacts on the device.

To exploit this vulnerability, an attacker must use a vulnerable device to establish a TELNET session and log in with a hard-coded debugging account. Fortunately, TELNET is not enabled by default.

This can affect the number of devices an attacker can use to reduce the scope of the attack, even though this CVE-2021-34795 has a CVSS score of 10 points.

The affected devices include CGP-ONT-1P, 4P, 4PV, 4PVC, 4TVCW switches. Enterprise administrators should download new firmware to fix the vulnerabilities as soon as possible.

In addition, Cisco confirmed that the vulnerability will not affect CGP-OLT-8T/16T. For the specific affected devices and related firmware downloads, please click here to view the security bulletin.

Another critical vulnerability (CVE-2021-40119) is the default SSH key in Cisco Policy Suite, which reuses static SSH keys during installation.

An attacker can extract the key from the controlled system to exploit this vulnerability. An unverified remote attacker can log in to the affected system with the root account.

Cisco Policy Software 21.2.0 and later will automatically create new SSH keys during the installation process, but will not create new SSH keys during the upgrade process.

To generate a new key and cover it to all devices, enterprise administrators can refer to the operating steps provided in the fixed version section of the Cisco Security Bulletin.