Cisco warns of default SSH keys shipped in three products
Cisco Systems said Thursday it released a patch for three products that shipped with default encryption keys, posing a risk that an attacker with the keys could decrypt data traffic.
The products are Cisco’s Web Security Virtual Appliance, Email Security Virtual Appliance and Security Management Virtual Appliance, it said in an advisory. Versions downloaded before Thursday are vulnerable.
Cisco said it “is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.”
The three products all shipped with preinstalled encryption keys for SSH (Secure Shell), which is used to remotely log into machines. It’s considered a bad security practice to ship products that all have the same private keys.