CVE-2021-40119

CWE-321CWE-798 ā€” Hard-coded Credentials4 documents4 sources
Severity
9.8CRITICAL
EPSS
7.6%
top 8.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Policy SuiteCisco Cisco Policy Suite (cps) Software
Timeline
PublishedNov 4
Latest updateMay 24

Description

A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to the re-use of static SSH keys across installations. An attacker could exploit this vulnerability by extracting a key from a system under their control. A successful exploit could allow the attacker to log in to an affected system as the root user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

ā–¶NVDcisco/policy_suite< 21.1.0

šŸ”“Vulnerability Details

2
GHSA
GHSA-wjwm-57j9-gm6h: A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an afā†—2022-05-24
ā–¶
CVEList
Cisco Policy Suite Static SSH Keys Vulnerabilityā†—2021-11-04
ā–¶

šŸ“‹Vendor Advisories

1
Cisco
Cisco Policy Suite Static SSH Keys Vulnerabilityā†—2021-11-03
ā–¶
CVE-2021-40119 (CRITICAL CVSS 9.8) | A vulnerability in the key-based SS | cvebase.io