AMI Key Removal from Cisco SD-WAN Controllers

Cisco SD-WAN cloud deployments of overlays on Amazon Web Services (AWS) involves the creation of Amazon Machine Images (AMI). To create Cisco SD-WAN AMIs, a publicly available Linux AMI is used as the base. During the creation of Cisco SD-WAN device AMIs, a public key is specified in the authentication file. The public key is not used after the creation of the Cisco SD-WAN device, except if needed as a backup for recovery.

Public Key Location

The public key is used in the versions of Cisco vManage, Cisco vSmart Controllers, Cisco vBond Orchestrators, and Cisco vEdge devices that the “Versions Affected” section describes. The public key is stored in the file /home/admin/.ssh/authorized_keys for these devices. The file contains one of three public keys that are used in the AMI creation process. For overlays with existing machines, the key depends on the version used at launch time because upgrades retain the previously authorized_keys file.

Implication

Cloud hosted overlays that used the controller and Cisco vEdge device AMIs that are not published on the AWS Marketplace may be affected. There are approximately 1,850 overlays that were launched using these AMIs. Active Cisco users with the matching private key and using the Cisco SJC VPN can access a given Cisco SD-WAN cloud machine. AMIs used in overlays published on the AWS Marketplace are not affected becuase the public keys were removed as part of the publication process. In addition, Azure overlays and Cisco SD-WAN versions that are not listed in the “Versions Affected” section describes but that are used at launch time are not affcted.

Versions Affected

Beginning with the Cisco SD-WAN Release 19.2.x 19.2.2 release, public key has been removed from the AMIs. For existing overlays, the existing key is removed through a security update.

The following Cisco SD-WAN releases are affected by this public key in AMIs issue:

  • 18.3.6

  • 18.3.7

  • 18.3.8

  • 18.4.2

  • 18.4.3

  • 18.4.4

  • 19.2.0

  • 19.2.1

  • 19.2.099

  • 19.3.0