The Cisco Umbrella Virtual Appliance (VA) version 2.1.0 and earlier included default static user credentials that could enable shell access from the VA console. This was intended as a contingent support mechanism – to enable troubleshooting of VAs when an SSH tunnel cannot be established.
However this mechanism could potentially allow an authenticated local attacker to log in to an affected virtual appliance with root privileges. Additional details can be found at:
While Cisco has no indications or reports from customers that this mechanism has ever been used as part of an internal attack, starting VA version 2.1.2 (which has been rolled out to all customers), root access can no longer be enabled from the VA console using these static credentials.
Please ensure that all your VAs are upgraded to the latest version to take advantage of this fix. The VA version can be viewed on the Umbrella dashboard against each VA on the Settings, Sites and AD page. If your VA is out of date, you will see a yellow triangle alert against the VA. Instructions to upgrade the VA are available here: https://docs.umbrella.com/product/umbrella/appx-a-updates/