Lucene search

K
ciscoCiscoCISCO-SA-20150113-CVE-2015-0204
HistoryJan 13, 2015 - 7:57 p.m.

OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability

2015-01-1319:57:19
tools.cisco.com
151

0.948 High

EPSS

Percentile

99.3%

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass security restrictions.

The vulnerability is due to improper handling of an RSA temporary key. An attacker with a privileged network position could exploit the vulnerability by returning a weak temporary RSA key to a system using an application that uses the vulnerable OpenSSL library. When processed, the insecure temporary key could result in reduced cryptographic protections, which could allow the attacker to bypass security protections.

OpenSSL has confirmed the vulnerability and released software updates.

To exploit the vulnerability, the attacker likely requires privileged network access to trusted or internal networks to return temporary RSA keys to the targeted system. This access requirement greatly limits the likelihood of a successful exploit.