If your business uses Cisco routers and RSA public key authentication, be aware of a recent attack hitting this technology.
Cisco routers and firewalls could be susceptible to a security flaw that gives an attacker access to your internal network. The vulnerability is found in Cisco’s IOS and IOS XE operating software (SSH version 2).
The gap could allow a remote attacker to bypass user authentication and log in with user privileges, or privileges configured for the Virtual Teletype (VTY) line. Depending on the configuration of the user and of the VTY line, the intruder may obtain administrative privileges, although privileges cannot be elevated under this particular intrusion.
Here’s how the Cisco intrusion works
To exploit this vulnerability, the attacker must know a valid username configured for Rivest, Shamir, and Adleman (RSA)-based user authentication, and the public key configured for that user. This vulnerability affects only devices configured for the public key authentication method, also known as an RSA-based user authentication feature.
Cisco has released software updates that address this vulnerability. The only workaround is for administrators to temporarily disable RSA-based user authentication to avoid exploitation. This will require administrators to use password authentication as an alternative.
Are you vulnerable?
All versions of Cisco IOS and Cisco IOS XE software are vulnerable if RSA public key authentication is enabled. To check whether RSA public key authentication is enabled, run the following command from on the Cisco device:
show running-config | begin ip ssh publickey-chain
If that command displays a user account with an RSA public key, then that device is vulnerable. Cisco also provides a software checker web page where administrators can input the Cisco IOS version their devices are running to identify known vulnerabilities in those products.
Incidents like these are reminders that safeguarding your technology is an ongoing process that organizations need to manage. CLA recommends that you evaluate whether this Cisco vulnerability is applicable to your environment, and if so, take corrective action.