Cisco Umbrella Virtual Appliance - Undocumented Support Tunnel (CVE-2017-6679) Overview "As the industryas first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes." (https://umbrella.cisco.com/) Issue The Cisco Umbrella virtual appliance (version 2.0.3 and below) contains an undocumented, auto-initiated reverse SSH tunnel which allows the Cisco Umbrella support team to have persistent and unrestricted access to the virtual appliance. Impact The reverse SSH tunnel allows the Cisco Umbrella support team to have a persistent node on the network the virtual appliance is deployed on. A rogue employee or attacker able to compromise the Cisco Umbrella infrastructure could have access to all virtual appliances across the Cisco Umbrella customer base and perform a wide range of attacks. Timeline December 22, 2015 - Notified OpenDNS via security@opendns.com December 22, 2015 - OpenDNS responded stating that they will investigate January 4, 2016 - Asked for an update on their investigation January 11, 2016 - OpenDNS said they are working through a number of options to resolve the issue February 2, 2016 - OpenDNS advised they've shortlisted a couple of solutions and will provide another update in a week or so February 17, 2016 - OpenDNS said they would like to schedule a call to discuss February 24, 2016 - Had a call with OpenDNS to discuss possible solutions April 22, 2016 - Asked for an update on the progress of the fix May 3, 2016 - Asked for an update on the progress of the fix July 27, 2016 - Sent the vulnerability details to the Cisco PSIRT team July 29, 2016 - Cisco assigned a case number and asked to schedule a call to discuss August 17, 2016 - Had a call with the Cisco PSIRT team to discuss possible solutions September 26, 2016 - Asked for an update on the progress of the fix October 6, 2016 - Cisco provided a status update December 14, 2016 - Asked for an update on the progress of the fix December 19, 2016 - Cisco provided a status update January 10, 2017 - Asked for an update on the progress of the fix January 10, 2017 - Cisco provided a status update May 26, 2017 - Cisco assigned CVE-2017-6679 and advised that the issue would be made public in the next week June 2, 2017 - Cisco asked to move the disclosure date to August 31, 2017 August 30, 2017 - Cisco released virtual appliance version 2.1.0 which resolves this vulnerability by removing the undocumented reverse SSH tunnel September 21, 2017 - Cisco published a security advisory to document this issue Solution Upgrade to virtual appliance 2.1.0 or later https://support.umbrella.com/hc/en-us/articles/115004752143-Virtual-Appliance-Vulnerability-due-to-always-on-SSH-Tunnel-RESOLVED-2017-09-15 CVE-ID: CVE-2017-6679