Security News > 2021 > November > Cisco fixes hard-coded credentials and default SSH key issues
Cisco has released security updates to address critical security flaws allowing unauthenticated attackers to log in using hard-coded credentials or default SSH keys to take over unpatched devices.
"A vulnerability in the Telnet service of Cisco Catalyst PON Series Switches ONT could allow an unauthenticated, remote attacker to log in to the affected device by using a debugging account that has a default, static password," the company explains in an advisory published yesterday.
The second critical security flaw patched yesterday is tracked as CVE-2021-40119 and is caused by the re-use of static SSH keys across Cisco Policy Suite installations.
"A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user," Cisco explains.
Cisco Policy Suite software releases 21.2.0 and later will automatically create new SSH keys during the install process but not during upgrades.
To generate new SSH keys and propagate them to all machines, you can use the steps detailed in the Fixed Releases section of Cisco's advisory.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-04 | CVE-2021-40119 | Use of Hard-coded Credentials vulnerability in Cisco Policy Suite A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. | 9.8 |