Cisco patched a vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance. The vulnerability could allow a remote attacker to impersonate VA. The vulnerability, tracked as CVE-2022-20773, is due to the presence of a static SSH host key. The vulnerability can be exploited with a man-in-the-middle attack on an SSH connection to the Umbrella VA.
CVSS score of 7.5
When it is successfully exploited, the vulnerability allows an attacker to learn the administrator credentials, change configurations, or reload the VA. There are no workarounds for this vulnerability and Cisco urges users to apply the patch as soon as possible.
This vulnerability affects the Cisco Umbrella Virtual Appliance for both VMWare ESXi and Hyper-V running a software version earlier than 3.3.2. SSH is not enabled by default but to check ifi t is enabled, users can visit hypervisor console, enter configuration mode by pressing CTRL+B, and enter the command config va show. If SSH is enabled, output of the config va show command will look like this:
~ $ config va show
Virtual Appliance Configuration
Name:
Local DNS -
ip address :
DNSSEC : disabled
Internal Domains Count: 0
Resolvers: 208.67.220.220 208.67.222.222
SSH access : enabled