How To Fix The SSH Key Vulnerability In Cisco Umbrella Virtual Appliance- CVE-2022-20773?

The network appliances manufacturer giant Cisco published an advisory on 21 April in which Cisco detailed about an SSH Key vulnerability in Cisco Umbrella Virtual Appliance. The vulnerability tracked as CVE-2022-20773 is a high-severity vulnerability with a CVSS score of 7.5 out of 10. The flaw allows an unauthenticated, remote attacker to impersonate a VA and steal admin credentials. Since this flaw poses an admin credential theft threat, it is good to be aware of this flaw and address it as soon as possible. Let’s see how to fix the SSH Key vulnerability in Cisco Umbrella Virtual Appliance in this post.

About Cisco Umbrella Virtual Appliance:

Cisco Umbrella is a cloud-based security platform that provides the first line of defense against threats on the internet. Cisco Umbrella uses a combination of DNS filtering, URL filtering, and IP reputation to block requests to malicious websites and stop malware from infecting devices. Cisco Umbrella also provides insights into internet activity so that you can see which sites are being visited, what type of traffic is being generated, and where potential threats are coming from. Cisco Umbrella is easy to set up and manage, and it works with any Internet connection or device. It is also compatible with most of the well-known Virtualization and cloud platforms such as VMWare ESX/ESXi, Windows Hyper-V, and KVM hypervisors and the Microsoft Azure, Google Cloud Platform, and Amazon Web Services cloud platforms.

Here are some of the key features of Cisco Umbrella:

Summary Of CVE-2022-20773:

This is a vulnerability liece in the Key-based authentication in Cisco Umbrella Virtual Appliance. This flaw allows an unauthenticated, remote attacker to impersonate a VA and steal admin credentials.

The Advisory says, “This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA.”
By Cisco

Products Affected By CVE-2022-20773:

The flaw affects the Cisco Umbrella Virtual Appliance version earlier than 3.3.2. Please check the version of your Cisco Umbrella Virtual Appliance running on VMWare ESXi and Hyper-V and fix the SSH Key vulnerability in the Cisco Umbrella Virtual Appliance.

How to Check the Version of Cisco Umbrella Virtual Appliance?

There are two ways to get the version info in Cisco Umbrella Virtual Appliance: 1. CLI Command, and 2. Dashboard

1. CLI Command:

Login to the Virtual Appliance CLI, then type the ‘version’ command. That’s it.

$ version

2. Dashboard:

Navigate to Deployments > Configuration > Sites and Active Directory on the Umbrella Dashboard to see the version info. Or you can also get the version info from the VMWare or Hypervisor console as well.

How To Fix The SSH Key Vulnerability In Cisco Umbrella Virtual Appliance- CVE-2022-20773?

Cisco recommends upgrading Cisco Umbrella to v3.3.2 or greater. Well, there is a disappointment for those who are looking at a temporary workaround. There are no workarounds to fix the SSH Key vulnerability in Cisco Umbrella Virtual Appliance as long as you use the SSH authentication. If the SSH authentication is not mandatory, then you can turn the SSH authentication off.

Note: SSH is disabled by default. However, if You want to confirm whether the SSH service is enabled, try this command:

$ config va show 

You will see a output like this: In this example, the SSH is enabled.

~ $ config va show
            Virtual Appliance Configuration
                Name:
                Local DNS -
                    ip address :
                    DNSSEC     : disabled
                Internal Domains Count: 0
                Resolvers: 208.67.220.220 208.67.222.222
                SSH access : enabled

If you want to disable the SSH authentication, try this command.

$ config va ssh disable

Other useful commands to know:

config va status
config va name <New name for the VA>
config va interface <interface name> <ip address> <subnet mask> <gateway>
config va interface6 <interface name> <IPv6 address/prefix> <IPv6 gateway>
config va show
config va ssh enable
config va dmz enable
config va dnssec enable
config va per-ip-rate-limit enable <packets/sec> <burst rate>

How To Fix CVE-2022-20773, A SSH Key Vulnerability In Cisco Umbrella Virtual Appliance?

The best and permanent way to fix the SSH Key vulnerability in Cisco Umbrella Virtual Appliance is to upgrade it to v3.3.2.

Upgrading Cisco Umbrella to v3.3.2 is the recommended approach to fix the SSH Key vulnerability in the Cisco Umbrella Virtual Appliance. Let’s see how to perform this upgrade in simple steps.

First of all, we would like to say there are two different ways to do this upgrade.

How To Upgrade Cisco Umbrella Virtual Appliances?

Step 1. Whitelist these two domains in the Firewall

These two domains must be accessible from your Cisco Umbrella Virtual Appliances to download the updates from the public Umbrella server.
* 443 (TCP) to disthost.opendns.com
* 443 (TCP) to disthost.umbrella.com

Step 2. Check the version info in the Umbrella Dashboard

Log in to the Console and navigate to Deployments > Configuration > Sites and Active Directory. Note the version of the Cisco Umbrella VA under the ‘Version’.

Step 3. Upgrade the Cisco Umbrella Virtual Appliance

Click the alert symbol and click the upgrade button to start the upgrade process.

Step 4. Set the Auto upgrade on the Cisco Umbrella Virtual Appliance

1. Navigate to Deployments > Configuration > Sites and Active Directory.2. Click Settings and then the Auto-Update tab3. Schedule the auto-upgrade process by setting up Day an Time Range, then click Set to enable the auto-upgrade.

We hope this post will help you know how to fix the SSH Key vulnerability in the Cisco Umbrella Virtual Appliance in this post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.