Cisco Policy Suite (CPS) is Cisco’s next-generation policy management solution. It provides real-time management based on user business rules, applications, and network resources. On November 3, Cisco released a security update to fix a static SSH key vulnerability found in the next-generation policy management solution. Below are the details of the vulnerability:
CVE-2021-40119 CVSS Score: 9.8 Severity: Critical Cisco Policy Suite has a vulnerability in its key-based SSH authentication mechanism, which may allow unauthenticated remote attackers to log in to the affected system as the Root user. This vulnerability is due to the reuse of static SSH keys across installations. Attackers can exploit this vulnerability by extracting keys from systems they control. Successful exploitation may allow attackers to log in to the affected system as the Root user.
Affected Products This vulnerability affects Cisco Policy Suite 21.1.0 and earlier versions.
Solution Cisco has released software updates to address this vulnerability. Cisco recommends customers take the following appropriate measures: 1. Upgrade Cisco Policy Suite versions prior to 20.2.0 to version 21.1.0. 2. Contact TAC (Cisco Technical Assistance Center) to install patches for Cisco Policy Suite version 20.2.0. 3. For Cisco Policy Suite version 21.1.0, it is recommended to change the default SSH key.
For more vulnerability information and upgrades, please visit the official website.
