What is the Vulnerability?
A vulnerability in the Cisco Umbrella Virtual Appliance (VA) was discovered last week by Fraser Hess of Pinnacol Assurance (tracked as CVE-2022-20773). The flaw is in the key-based SSH authentication mechanism of the VA, which could allow an unauthenticated, remote attacker to impersonate a VA.
Cisco Umbrella is a cloud-delivered security service used by over 24,000 organizations as DNS‑layer security against phishing, malware, and ransomware attacks. The service uses on-premise virtual machines as conditional DNS forwarders that record, encrypt, and authenticate DNS data.
“This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA,” Cisco explained. “A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA.” Note: SSH is not enabled by default on the Umbrella VA.
The vulnerability impacts the Cisco Umbrella VA for Hyper-V and VMWare ESXi running software versions earlier than 3.3.2.
Criticalness and Who is Affected
All users of Cisco Umbrella Virtual Appliances that have enabled SSH and have not updated to version 3.3.2 or above are affected by this vulnerability. If someone ignores this vulnerability, it has the potential to lead to an incident and be severely harmful. Our cybersecurity experts rate the criticalness level of this vulnerability as a 7/10 if you use Umbrella VA and configured SSH incorrectly—meaning, you used a default SSH key instead of generating a new one.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. For more information on the vulnerability, view Cisco’s advisory page.