CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS
Percentile
70.6%
A vulnerability in the HTTPS session key exchange process of certain Cisco Small Business RV Series Routers and Cisco SA500 Series Security Appliances could allow an unauthenticated, remote attacker to obtain the key pair used in the Transport Layer Security (TLS) session from the affected device.
The vulnerability is due to insufficient sources of entropy used by the random number generator. An attacker could exploit this vulnerability by gathering large amounts of TLS handshake data to predict the random numbers generated for the key pair. An exploit could allow the attacker to decrypt session data between a host and the affected device.
Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151210-dwvr[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151210-dwvr”]
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | small_business_500_series_stackable_managed_switches_firmware | any | cpe:2.3:o:cisco:small_business_500_series_stackable_managed_switches_firmware:any:*:*:*:*:*:*:* |
cisco | small_business_rv_series_router_firmware | any | cpe:2.3:o:cisco:small_business_rv_series_router_firmware:any:*:*:*:*:*:*:* |
cisco | small_business_srp541w | 500_series_security_appliances | cpe:2.3:h:cisco:small_business_srp541w:500_series_security_appliances:*:*:*:*:*:*:* |