The Cisco Umbrella Virtual Appliance Version 2.0.3 and prior contained an undocumented encrypted remote support tunnel (SSH) which auto initiated from the customer’s appliance to Cisco's SSH Hubs in the Umbrella datacenters. These tunnels were primarily leveraged for remote support and allowed for authorized/authenticated personnel from the Cisco Umbrella team to access the appliance remotely and obtain full control without explicit customer approval.
It is our policy that any undocumented methods of entry into your network devices be considered a vulnerability due to the potential risk of an attacker leveraging this tunnel to gain access to your network.
While Cisco has NO indications that our remote support SSH hubs have ever been compromised, Cisco has made significant changes to the behavior of the remote support tunnel capability to further secure the feature as documented below.
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 6.4:
CVE ID CVE-2017-6679 has been assigned to document this issue.
Cisco would like to thank Mr David Coomber for finding and reporting this vulnerability and working towards a coordinated disclosure.
The Umbrella Virtual Appliance, running version 2.0.3 or prior versions, featured establishment of an SSH support tunnel to a terminating server in the Cisco Umbrella datacenter. This was an always-on tunnel and did not require explicit customer approval before establishment. The tunnel facilitated troubleshooting by Cisco support personnel. Access to the terminating server required valid keys and was provided only to privileged support personnel within the Cisco Umbrella network space. Customers could prevent this tunnel from getting established by blocking the relevant firewall ports. However, in the case of customers who allowed establishment of the tunnel, an attacker who obtained access to the internal Cisco terminating server could use the SSH tunnel as a backdoor to obtain full control of the VA device at the customer’s premises.
To address this vulnerability, the Umbrella Virtual Appliance version 2.1.0 now requires explicit customer approval before an SSH tunnel from the VA to the Cisco terminating server can be established. Unlike in earlier versions, this is not an always-on support tunnel. Customer can configure the tunnel duration and disable the support tunnel any time after establishment. For additional security, customer is required to provide tunnel configuration parameters out-of-band to the Cisco support personnel before tunnel establishment.
Additional documentation on the new support tunnel mechanism can be found at the following location: https://support.umbrella.com/hc/en-us/articles/115004154423