Introduction
Cisco has released a security advisory regarding Umbrella Virtual Appliances.
The advisory states that the vulnerability “could allow an unauthenticated, remote attacker to impersonate a VA” and is due to the presence of a static SSH host key. The attack vector is Man-in-the-Middle and SSH is not enabled by default on these virtual appliances.
The vulnerability has been assigned CVE-2022-20773 with a CVSS 3.1 Base Score of 7.5 (High)
Cisco has released version 3.3.2 to fix this vulnerability.
Affected Products
This vulnerability affects the Cisco Umbrella Virtual Appliance for both VMWare ESXi and Hyper-V running a software version earlier than 3.3.2.
The version of the VA is verified by opening the VA in the hypervisor console or navigating to the Umbrella Dashboard from Deployments > Configuration > Sites and Active Directory
To determine if SSH is enabled, log in to the hypervisor console, enter configuration mode by pressing CTRL+B, and enter the command config va show.
The following example shows the output of the config va show command for a device that has SSH enabled:
~ $ config va show
Virtual Appliance Configuration
Name:
Local DNS –
ip address :
DNSSEC : disabled
Internal Domains Count: 0
Resolvers: 208.67.220.220 208.67.222.222
SSH access : enabled