Guest

Cisco Security

Cisco Security Advisory

Cisco IOS and IOS XE Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability

Cisco IOS and IOS XE Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability

Critical
Advisory ID:
cisco-sa-20150923-sshpk
Published:
2015 September 23 16:00  GMT
Version 1.0:
Final
CVSS Score:
Workarounds:
See below
Cisco Bug IDs:
CSCus73013
CVSS Score:
Workarounds:
See below
Cisco Bug IDs:
CSCus73013
CVE-2015-6280
CWE-287

  • A vulnerability in the SSH version 2 (SSHv2) protocol implementation of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to bypass user authentication.

    Successful exploitation could allow the attacker to log in with the privileges of the user or the privileges configured for the Virtual Teletype (VTY) line. Depending on the configuration of the user and of the vty line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges.

    The attacker must know a valid username configured for Rivest, Shamir, and Adleman (RSA)-based user authentication and the public key configured for that user to exploit this vulnerability. This vulnerability affects only devices configured for public key authentication method, also known as an RSA-based user authentication feature.

    Cisco has released software updates that address this vulnerability. Workarounds for this vulnerability are not available; however administrators could temporarily disable RSA-based user authentication to avoid exploitation. This advisory is available at the following link:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk

    Note: The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:

    http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html

  • This vulnerability affects products running a vulnerable version of Cisco IOS or Cisco IOS XE Software. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected versions.

    Vulnerable Products

    Devices running a vulnerable version of Cisco IOS and Cisco IOS XE Software are affected if SSHv2 access is configured with RSA-based user authentication and at least one user is configured with a public key.

    To determine whether RSA-based user authentication is configured for SSHv2 access, use the show running-config | begin ip ssh pubkey-chain command and verify that the ip ssh pubkey-chain command is present and that at least one user is configured.

    The following example shows a Cisco IOS router with SSHv2 RSA-based user authentication enabled and configured to authenticate the user test-user:

    router#show running-config | begin ip ssh pubkey-chain
    ip ssh pubkey-chain
      username test-user
       key-hash ssh-rsa XXXXXXXXXXXXXXXXXXXXX 
    [...]
    Note: The SSHv2 RSA-based user authentication method is enabled by default; however, the public key of a user must be manually imported to enable the functionality.

    To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.

    The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)T1 with an installed image name of C2951-UNIVERSALK9-M:

    Router> show version 
    Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
!--- output truncated

    For information about the naming and numbering conventions for Cisco IOS Software, see White Paper: Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    Cisco IOS XR Software and Cisco NX-OS Software are not affected by this vulnerability.

    No other Cisco products are currently known to be affected by these vulnerabilities.

  • Cisco IOS SSHv2 supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server. RSA-based user authentication uses a private/public key pair associated with each user for authentication.

    A vulnerability in the SSH version 2 (SSHv2) implementation of the public key authentication method of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to bypass user authentication.

    The vulnerability is due to a flaw in the implementation of the SSHv2 public key authentication method, also known as Rivest, Shamir, and Adleman (RSA)-based user authentication. An attacker could exploit this vulnerability by authenticating to an affected system configured for SSHv2 RSA-based user authentication using a crafted private key. The attacker must know a valid username configured for RSA-based user authentication and the public key configured for that user to exploit this vulnerability.

    A successful exploit could allow the attacker to bypass user authentication and log in with the privileges of the user or with the privileges configured for the virtual teletype (VTY) line. Depending on the configuration of the user and of the VTY line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges.



    This vulnerability is documented in Cisco bug ID CSCus73013 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-6280.

  • There are no workarounds for this vulnerability. Administrators could temporarily disable the SSHv2 RSA-based user authentication until the affected system is upgraded to a nonvulnerable release.
    To disable SSHv2 RSA-based user authentication use the no ip ssh server authenticate user publickey command. Use the show running-config | include ip ssh server command to verify that the mitigation is applied.

    When this mitigation is applied, the system will proceed to the next authentication method. By default this is keyboard-interactive.

    The following example shows a Cisco IOS device with SSHv2 RSA-based user authentication disabled:

    router#show running-config | include ip ssh server
    no ip ssh server authenticate user publickey

  • When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Cisco IOS Software

    Cisco provides a tool to help customers determine their exposure to vulnerabilities in Cisco IOS Software. The Cisco IOS Software Checker allows customers to perform the following tasks:

    • Initiate a search by selecting releases from the drop-down menu or uploading a file from a local system
    • Enter show version command output for the tool to parse
    • Create a customized search by including all previously published Cisco Security Advisories, a specific publication, or all advisories in the September 2015 bundled publication

    The tool identifies any Cisco Security Advisories that impact a queried software release and the earliest release that corrects all vulnerabilities in each Cisco Security Advisory ("First Fixed"). If applicable, the tool also returns the earliest possible release that corrects all vulnerabilities in all displayed advisories ("Combined First Fixed"). Please visit the Cisco IOS Software Checker or enter a Cisco IOS Software release in the following field to determine whether the release is affected by any of the advisories in this bundled publication.

    (Example entry: 15.1(4)M2)



    For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes.

    Cisco IOS XE

    Cisco
    IOS XE
    Software
    Train     		First Fixed Release for
    this Advisory     		First Fixed Release for
    All Advisories in the
    September 2015 Cisco IOS and IOS XE
    Software Security Advisory
    Bundled Publication
    2.6 Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.1S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.1SG Not vulnerable Not vulnerable
    3.2S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.2SE Not vulnerable Vulnerable; migrate to 3.6.3E or later.
    3.2SG Not vulnerable Not vulnerable
    3.2SQ Not vulnerable Not vulnerable
    3.2XO Not vulnerable Not vulnerable
    3.3S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.3SE Not vulnerable Vulnerable; migrate to 3.6.3E or later.
    3.3SG Not vulnerable Not vulnerable
    3.3SQ Not vulnerable Not vulnerable
    3.3XO Not vulnerable Vulnerable; migrate to 3.6.3E or later.
    3.4S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.4SG Not vulnerable Vulnerable; migrate to 3.6.3E or later.
    3.4SQ Not vulnerable Not vulnerable
    3.5E Not vulnerable Vulnerable; migrate to 3.6.3E or later.
    3.5S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.5SQ Not vulnerable Not vulnerable
    3.6E 3.6.3E 3.6.3E
    3.6S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.7E 3.7.1E 3.7.2E
    3.7S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.8S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.9S Not vulnerable Vulnerable; migrate to 3.10.6S or later.
    3.10S 3.10.6S 3.10.6S
    3.11S 3.11.4S Vulnerable; migrate to 3.13.3S or later.
    3.12S 3.12.3S Vulnerable; migrate to 3.13.3S or later.
    3.13S 3.13.3S 3.13.3S
    3.14S 3.14.1S Vulnerable; migrate to 3.15.1S or later.
    3.15S Not vulnerable 3.15.1S
    3.16S Not vulnerable Not vulnerable

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

    This vulnerability was reported to Cisco by Mathias Seiler from MiroNet AG.

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.



  • Revision 1.0 2015-September-23 Initial public release.
    Show Less


  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.