A vulnerability in the SSH version 2 (SSHv2) protocol implementation of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to bypass user authentication. Successful exploitation could allow the attacker to log in with the privileges of the user or the privileges configured for the Virtual Teletype (VTY) line. Depending on the configuration of the user and of the vty line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges. The attacker must know a valid username configured for Rivest, Shamir, and Adleman (RSA)-based user authentication and the public key configured for that user to exploit this vulnerability. This vulnerability affects only devices configured for public key authentication method, also known as an RSA-based user authentication feature. Cisco has released software updates that address this vulnerability. Workarounds for this vulnerability are not available; however administrators could temporarily disable RSA-based user authentication to avoid exploitation. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk Note: The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html
Note: The SSHv2 RSA-based user authentication method is enabled by default; however, the public key of a user must be manually imported to enable the functionality.router#show running-config | begin ip ssh pubkey-chain
ip ssh pubkey-chain
username test-user
key-hash ssh-rsa XXXXXXXXXXXXXXXXXXXXX
[...]
To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)T1 with an installed image name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team !--- output truncated
For information about the naming and numbering conventions for Cisco IOS Software, see White Paper: Cisco IOS and NX-OS Software Reference Guide.
Cisco IOS SSHv2 supports
keyboard-interactive and password-based authentication methods. The
SSHv2 Enhancements for RSA Keys feature also supports RSA-based public
key authentication for the client and the server. RSA-based user
authentication uses a private/public key pair associated with each user
for authentication.
A vulnerability in the SSH version 2 (SSHv2) implementation of the public key authentication method of Cisco IOS and IOS XE Software could allow an
unauthenticated, remote attacker to bypass user authentication.
router#show running-config | include ip ssh server
no ip ssh server authenticate user publickey
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco provides a tool to help customers determine their exposure to vulnerabilities in Cisco IOS Software. The Cisco IOS Software Checker allows customers to perform the following tasks:
The tool identifies any Cisco Security Advisories that impact a queried software release and the earliest release that corrects all vulnerabilities in each Cisco Security Advisory ("First Fixed"). If applicable, the tool also returns the earliest possible release that corrects all vulnerabilities in all displayed advisories ("Combined First Fixed"). Please visit the Cisco IOS Software Checker or enter a Cisco IOS Software release in the following field to determine whether the release is affected by any published Cisco IOS Software advisory.
(Example entry: 15.1(4)M2)
Cisco IOS XE Software Train |
First Fixed Release for this Advisory |
First Fixed Release for All Advisories in the September 2015 Cisco IOS and IOS XE Software Security Advisory Bundled Publication |
---|---|---|
2.6 | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.1S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.1SG | Not vulnerable | Not vulnerable |
3.2S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.2SE | Not vulnerable | Vulnerable; migrate to 3.6.3E or later. |
3.2SG | Not vulnerable | Not vulnerable |
3.2SQ | Not vulnerable | Not vulnerable |
3.2XO | Not vulnerable | Not vulnerable |
3.3S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.3SE | Not vulnerable | Vulnerable; migrate to 3.6.3E or later. |
3.3SG | Not vulnerable | Not vulnerable |
3.3SQ | Not vulnerable | Not vulnerable |
3.3XO | Not vulnerable | Vulnerable; migrate to 3.6.3E or later. |
3.4S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.4SG | Not vulnerable | Vulnerable; migrate to 3.6.3E or later. |
3.4SQ | Not vulnerable | Not vulnerable |
3.5E | Not vulnerable | Vulnerable; migrate to 3.6.3E or later. |
3.5S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.5SQ | Not vulnerable | Not vulnerable |
3.6E | 3.6.3E | 3.6.3E |
3.6S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.7E | 3.7.1E | 3.7.2E |
3.7S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.8S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.9S | Not vulnerable | Vulnerable; migrate to 3.10.6S or later. |
3.10S | 3.10.6S | 3.10.6S |
3.11S | 3.11.4S | Vulnerable; migrate to 3.13.3S or later. |
3.12S | 3.12.3S | Vulnerable; migrate to 3.13.3S or later. |
3.13S | 3.13.3S | 3.13.3S |
3.14S | 3.14.1S | Vulnerable; migrate to 3.15.1S or later. |
3.15S | Not vulnerable | 3.15.1S |
3.16S | Not vulnerable | Not vulnerable |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was reported to Cisco by Mathias Seiler from MiroNet AG.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.1 | Updated Cisco IOS Software Checker form to query all previously published Cisco IOS Software Security Advisories. | 2016-January-14 | ||
1.0 | Initial public release. | 2015-September-23 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.