CVE-2021-28123
📋 TL;DR
Cohesity DataPlatform versions 6.3 through 6.5.1b contain an undocumented default SSH cryptographic key that provides root access to the underlying Linux system. This vulnerability allows attackers to gain complete control of affected systems. Organizations running vulnerable Cohesity DataPlatform versions are affected.
💻 Affected Systems
- Cohesity DataPlatform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Cohesity cluster with root access to all nodes, enabling data theft, destruction, ransomware deployment, and lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive backup data, configuration tampering, and potential deployment of malware or persistence mechanisms.
If Mitigated
Limited impact if network segmentation prevents access to management interfaces and strict access controls are in place.
🎯 Exploit Status
Exploitation requires only the default SSH private key and network access to SSH ports (typically 22). The key has been publicly disclosed in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.1g, 6.4.1d, 6.5.1c and later
Vendor Advisory: https://github.com/cohesity/SecAdvisory/blob/master/CVE-2021-28123.md
Restart Required: Yes
Instructions:
1. Backup all configurations and data. 2. Upgrade to patched version via Cohesity Helios or CLI. 3. Verify SSH keys have been regenerated. 4. Restart services as required during upgrade.
🔧 Temporary Workarounds
Network Segmentation
linuxBlock SSH access to Cohesity management interfaces from untrusted networks
iptables -A INPUT -p tcp --dport 22 -s [TRUSTED_NETWORKS] -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
SSH Key Rotation
linuxManually regenerate SSH host keys on all nodes
rm /etc/ssh/ssh_host_*
ssh-keygen -A
systemctl restart sshd
🧯 If You Can't Patch
- Implement strict network access controls to limit SSH access to Cohesity nodes only from trusted management stations
- Monitor SSH authentication logs for unauthorized access attempts and implement intrusion detection rules
🔍 How to Verify
Check if Vulnerable:
Check if SSH host key fingerprint matches known vulnerable default keys. Compare with fingerprints published in security advisories.Check Version:
ssh admin@cohesity-node 'show version' or check via Cohesity Helios dashboardVerify Fix Applied:
Verify SSH host key fingerprints have changed after patch installation and do not match known vulnerable keys.📡 Detection & Monitoring
Log Indicators:
- Successful SSH authentication using default key fingerprints
- Multiple failed SSH attempts followed by success
- Unauthorized commands executed as root
Network Indicators:
- SSH connections from unexpected source IPs
- SSH brute force patterns targeting Cohesity nodes
SIEM Query:
source="auth.log" AND "Accepted publickey for root" AND (fingerprint="known_vulnerable_fingerprint" OR user="root")