Cisco patches virtual appliances after SSH error

Cisco has been left red-faced after discovering that three virtual appliance products were shipped with the same default encryption keys, potentially allowing everybody with the keys to decrypt data traffic sent through the products.

The company has issued a patch for Cisco’s Web Security Virtual Appliance, Email Security Virtual Appliance and Security Management Virtual Appliance.

The appliances were released using default authorised SSH and SSH host keys, Cisco said in a security advisory. The vulnerability could allow unauthenticated, remote attackers to access affected systems with root user privileges.

Specifically, an exploit could allow attackers managing to obtain the SSH private keys to decrypt communication between any of the devices, or to impersonate secure communications between any virtual content security appliances.

A well as the patch, Cisco has released a tool to allow customers to obtain unique keys. Physical hardware or virtual appliances purchased after Thursday will not be affected.

The disclosure is bad timing for Cisco as the company has been making a push to play a deeper role in securing the extended network. Earlier this month, the company announced a series of new products and services designed to address security across the entire networking portfolio, from the data centre out to endpoints, branch offices and the cloud.

The new products included a threat protection system for VPN-enabled endpoints, a service for campus and branch offices combining centrally managed intrusion prevention and advanced malware protection, as well as embedded security products as sensors for network infrastructure.

Cisco also announced a cloud-based hosted identity service as well as solutions for securing programmable networks aimed at service providers.

At the time, Cisco Senior Vice President of Security David Goeckeler said the new products and services are designed to “[provide] enterprises and service providers with the confidence that they have the continuous and retrospective visibility and control to support new technologies and business opportunities in the Internet of Everything and the Digital Economy.” The company’s recent gaffe threatens to shake this confidence.

Cisco has meanwhile released the Australian statistics for its annual Visual Networking Index, predicting that IP traffic in Australia will grow threefold to 1.4 Exabytes per month by 2019. This would translate to a compound annual growth rate of 22% from the 499 Petabytes of data traffic generated in 2014.

“To put this in some context, that’s 154 times the amount of traffic in 2005,” noted Cisco ANZ CTO Kevin Bloch.

“This type of growth is unparalleled. Our research shows that technology and connectedness are being embraced and driven by consumers faster than businesses have time to adapt or that the current network has the capacity to hold.”

IP traffic growth is being driven by an increase in the number of devices connected to the internet in the IoT era. Cisco forecasts that by 2019 there will be 219.6 million networked devices in Australia, up from 115.7 million last year. Wi-Fi and cellular devices are expected to generate 72% of IP traffic by this time, with Wi-Fi alone accounting for 60% of total traffic.

The rapid growth has implications for businesses and the Australian economy, Bloch said. Business IP traffic is set to double by 2019 with business mobile data traffic growing five-fold and video traffic increasing by 3.4 times.

“We are all aware that the Internet of Everything has arrived, yet few businesses have prepared for it; the numbers and trends are clear and sometimes quite amazing,” he said. “Whether you look at the average number of connected devices per person by 2019 (eight), or consumer mobile data traffic growing six-fold, or internet video growing 3.8-fold, the opportunities and threats to every business is significant.”

To help meet this challenge, Cisco also revealed it will be launching its first Internet of Everything innovation centre in Australia on 2 July. The facility at Curtin University in Perth forms part of a $15 million investment, which will also help fund a similar centre in Sydney scheduled to launch later this year.

Image courtesy of B Rosen under CC