Cisco Security Advisory
Cisco IOS and IOS XE Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
A vulnerability in the SSH version 2 (SSHv2) protocol implementation of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to bypass user authentication.
Successful exploitation could allow the attacker to log in with the privileges of the user or the privileges configured for the Virtual Teletype (VTY) line. Depending on the configuration of the user and of the vty line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges.
The attacker must know a valid username configured for Rivest, Shamir, and Adleman (RSA)-based user authentication and the public key configured for that user to exploit this vulnerability. This vulnerability affects only devices configured for public key authentication method, also known as an RSA-based user authentication feature.
Cisco has released software updates that address this vulnerability. Workarounds for this vulnerability are not available; however administrators could temporarily disable RSA-based user authentication to avoid exploitation. This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk
Note: The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html
-
This vulnerability affects products running a vulnerable version of Cisco IOS or Cisco IOS XE Software. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected versions.
Vulnerable Products
Devices running a vulnerable version of Cisco IOS and Cisco IOS XE Software are affected if SSHv2 access is configured with RSA-based user authentication and at least one user is configured with a public key.
To determine whether RSA-based user authentication is configured for SSHv2 access, use the show running-config | begin ip ssh pubkey-chain command and verify that the ip ssh pubkey-chain command is present and that at least one user is configured.
The following example shows a Cisco IOS router with SSHv2 RSA-based user authentication enabled and configured to authenticate the user test-user:
Note: The SSHv2 RSA-based user authentication method is enabled by default; however, the public key of a user must be manually imported to enable the functionality.router#show running-config | begin ip ssh pubkey-chain
ip ssh pubkey-chain
username test-user
key-hash ssh-rsa XXXXXXXXXXXXXXXXXXXXX
[...]
To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)T1 with an installed image name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team !--- output truncatedFor information about the naming and numbering conventions for Cisco IOS Software, see White Paper: Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Cisco IOS XR Software and Cisco NX-OS Software are not affected by this vulnerability.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco IOS SSHv2 supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server. RSA-based user authentication uses a private/public key pair associated with each user for authentication.
A vulnerability in the SSH version 2 (SSHv2) implementation of the public key authentication method of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to bypass user authentication.
The vulnerability is due to a flaw in the implementation of the SSHv2 public key authentication method, also known as Rivest, Shamir, and Adleman (RSA)-based user authentication. An attacker could exploit this vulnerability by authenticating to an affected system configured for SSHv2 RSA-based user authentication using a crafted private key. The attacker must know a valid username configured for RSA-based user authentication and the public key configured for that user to exploit this vulnerability.
A successful exploit could allow the attacker to bypass user authentication and log in with the privileges of the user or with the privileges configured for the virtual teletype (VTY) line. Depending on the configuration of the user and of the VTY line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges.
This vulnerability is documented in Cisco bug ID CSCus73013 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-6280.
-
There are no workarounds for this vulnerability. Administrators could temporarily disable the SSHv2 RSA-based user authentication until the affected system is upgraded to a nonvulnerable release.
To disable SSHv2 RSA-based user authentication use the no ip ssh server authenticate user publickey command. Use the show running-config | include ip ssh server command to verify that the mitigation is applied.
When this mitigation is applied, the system will proceed to the next authentication method. By default this is keyboard-interactive.
The following example shows a Cisco IOS device with SSHv2 RSA-based user authentication disabled:
router#show running-config | include ip ssh server
no ip ssh server authenticate user publickey
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco IOS Software
Cisco provides a tool to help customers determine their exposure to vulnerabilities in Cisco IOS Software. The Cisco IOS Software Checker allows customers to perform the following tasks:
- Initiate a search by selecting releases from the drop-down menu or uploading a file from a local system
- Enter show version command output for the tool to parse
- Create a customized search by including all previously published Cisco Security Advisories, a specific publication, or all advisories in the most recent bundled publication
The tool identifies any Cisco Security Advisories that impact a queried software release and the earliest release that corrects all vulnerabilities in each Cisco Security Advisory ("First Fixed"). If applicable, the tool also returns the earliest possible release that corrects all vulnerabilities in all displayed advisories ("Combined First Fixed"). Please visit the Cisco IOS Software Checker or enter a Cisco IOS Software release in the following field to determine whether the release is affected by any published Cisco IOS Software advisory.
(Example entry: 15.1(4)M2)
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XE
Cisco
IOS XE
Software
TrainFirst Fixed Release for
this AdvisoryFirst Fixed Release for
All Advisories in the
September 2015 Cisco IOS and IOS XE
Software Security Advisory
Bundled Publication2.6 Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.1S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.1SG Not vulnerable Not vulnerable 3.2S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.2SE Not vulnerable Vulnerable; migrate to 3.6.3E or later. 3.2SG Not vulnerable Not vulnerable 3.2SQ Not vulnerable Not vulnerable 3.2XO Not vulnerable Not vulnerable 3.3S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.3SE Not vulnerable Vulnerable; migrate to 3.6.3E or later. 3.3SG Not vulnerable Not vulnerable 3.3SQ Not vulnerable Not vulnerable 3.3XO Not vulnerable Vulnerable; migrate to 3.6.3E or later. 3.4S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.4SG Not vulnerable Vulnerable; migrate to 3.6.3E or later. 3.4SQ Not vulnerable Not vulnerable 3.5E Not vulnerable Vulnerable; migrate to 3.6.3E or later. 3.5S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.5SQ Not vulnerable Not vulnerable 3.6E 3.6.3E 3.6.3E 3.6S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.7E 3.7.1E 3.7.2E 3.7S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.8S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.9S Not vulnerable Vulnerable; migrate to 3.10.6S or later. 3.10S 3.10.6S 3.10.6S 3.11S 3.11.4S Vulnerable; migrate to 3.13.3S or later. 3.12S 3.12.3S Vulnerable; migrate to 3.13.3S or later. 3.13S 3.13.3S 3.13.3S 3.14S 3.14.1S Vulnerable; migrate to 3.15.1S or later. 3.15S Not vulnerable 3.15.1S 3.16S Not vulnerable Not vulnerable
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was reported to Cisco by Mathias Seiler from MiroNet AG.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.1 Updated Cisco IOS Software Checker form to query all previously published Cisco IOS Software Security Advisories. 2016-January-14 1.0 Initial public release. 2015-September-23
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.