Exploit the possiblities

Cisco Umbrella Virtual Appliance 2.0.3 Undocumented Support Tunnel

Cisco Umbrella Virtual Appliance 2.0.3 Undocumented Support Tunnel
Posted Oct 24, 2017
Authored by David Coomber

Cisco Umbrella Virtual Appliance versions 2.0.3 and below contain an undocumented, auto-initiated reverse SSH tunnel which allows the Cisco Umbrella support team to have persistent and unrestricted access to the virtual appliance.

tags | advisory
systems | cisco
advisories | CVE-2017-6679
MD5 | b176f5aecc3e42a73c69376a8d0395b6

Cisco Umbrella Virtual Appliance 2.0.3 Undocumented Support Tunnel

Change Mirror Download
Cisco Umbrella Virtual Appliance - Undocumented Support Tunnel (CVE-2017-6679)

Overview

"As the industryas first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes."

(https://umbrella.cisco.com/)

Issue

The Cisco Umbrella virtual appliance (version 2.0.3 and below) contains an undocumented, auto-initiated reverse SSH tunnel which allows the Cisco Umbrella support team to have persistent and unrestricted access to the virtual appliance.

Impact

The reverse SSH tunnel allows the Cisco Umbrella support team to have a persistent node on the network the virtual appliance is deployed on. A rogue employee or attacker able to compromise the Cisco Umbrella infrastructure could have access to all virtual appliances across the Cisco Umbrella customer base and perform a wide range of attacks.

Timeline

December 22, 2015 - Notified OpenDNS via security@opendns.com
December 22, 2015 - OpenDNS responded stating that they will investigate
January 4, 2016 - Asked for an update on their investigation
January 11, 2016 - OpenDNS said they are working through a number of options to resolve the issue
February 2, 2016 - OpenDNS advised they've shortlisted a couple of solutions and will provide another update in a week or so
February 17, 2016 - OpenDNS said they would like to schedule a call to discuss
February 24, 2016 - Had a call with OpenDNS to discuss possible solutions
April 22, 2016 - Asked for an update on the progress of the fix
May 3, 2016 - Asked for an update on the progress of the fix
July 27, 2016 - Sent the vulnerability details to the Cisco PSIRT team
July 29, 2016 - Cisco assigned a case number and asked to schedule a call to discuss
August 17, 2016 - Had a call with the Cisco PSIRT team to discuss possible solutions
September 26, 2016 - Asked for an update on the progress of the fix
October 6, 2016 - Cisco provided a status update
December 14, 2016 - Asked for an update on the progress of the fix
December 19, 2016 - Cisco provided a status update
January 10, 2017 - Asked for an update on the progress of the fix
January 10, 2017 - Cisco provided a status update
May 26, 2017 - Cisco assigned CVE-2017-6679 and advised that the issue would be made public in the next week
June 2, 2017 - Cisco asked to move the disclosure date to August 31, 2017
August 30, 2017 - Cisco released virtual appliance version 2.1.0 which resolves this vulnerability by removing the undocumented reverse SSH tunnel
September 21, 2017 - Cisco published a security advisory to document this issue

Solution

Upgrade to virtual appliance 2.1.0 or later

https://support.umbrella.com/hc/en-us/articles/115004752143-Virtual-Appliance-Vulnerability-due-to-always-on-SSH-Tunnel-RESOLVED-2017-09-15

CVE-ID: CVE-2017-6679

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close