OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability

2015-01-1319:57:19

tools.cisco.com

151

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.948 High

EPSS

Percentile

99.2%

JSON

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass security restrictions.

The vulnerability is due to improper handling of an RSA temporary key. An attacker with a privileged network position could exploit the vulnerability by returning a weak temporary RSA key to a system using an application that uses the vulnerable OpenSSL library. When processed, the insecure temporary key could result in reduced cryptographic protections, which could allow the attacker to bypass security protections.

OpenSSL has confirmed the vulnerability and released software updates.

To exploit the vulnerability, the attacker likely requires privileged network access to trusted or internal networks to return temporary RSA keys to the targeted system. This access requirement greatly limits the likelihood of a successful exploit.

CPENameOperatorVersion
cisco ata series analog telephone adaptoreqany
cisco secure access control system (acs)eqany
ioseq12.2SE
ioseq12.2EX
ioseq12.2EY
ioseq12.2EZ
ioseq12.4T
ioseq12.4MD
ioseq15.0M
ioseq15.0XA

Name	Operator	Version
cisco ata series analog telephone adaptor	eq	any
cisco secure access control system (acs)	eq	any
ios	eq	12.2SE
ios	eq	12.2EX
ios	eq	12.2EY
ios	eq	12.2EZ
ios	eq	12.4T
ios	eq	12.4MD
ios	eq	15.0M
ios	eq	15.0XA