4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
71.5%
A vulnerability in the cryptographic implementation of multiple Cisco products could allow an unauthenticated, remote attacker to make use of hard-coded certificate and keys embedded within the firmware of the affected device.
The vulnerability is due to the lack of unique key and certificate generation within affected appliances. An attacker could exploit this vulnerability by using the static information to conduct man-in-the-middle attacks to decrypt confidential information on user connections.
This is an attack on the client attempting to access the device and does not compromise the device itself. To exploit the issue, an attacker needs not only the public and private key pair, but also a privileged position in the network that would allow the attacker to monitor the traffic between client and server, intercept the traffic, and modify or inject the attacker’s own traffic. There are no workarounds that address this vulnerability.
Cisco has not released software updates that address this vulnerability.
This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151125-ci[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151125-ci”]
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
71.5%