CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
20.4%
A vulnerability in SSL certificate validation of multiple Cisco products could allow an unauthenticated, remote attacker to stage a man-in-the-middle attack.
The vulnerability is due to lack of SSL certificate validation for secure LDAP. An attacker could exploit this vulnerability to stage a man-in-the-middle attack when secure LDAP is enabled on an affected device. Successful exploitation could allow the attacker to access sensitive information.
Cisco has confirmed the vulnerability; however, software updates are not available.
To exploit this vulnerability, an attacker must be in a position in the network to conduct a man-in-the-middle attack between devices communicating with the targeted device. In addition, the attacker may need to acquire additional information about the device, such as whether secure LDAP is enabled on the device. This feature must be enabled for a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | web_security_appliance_\(wsa\) | any | cpe:2.3:a:cisco:web_security_appliance_\(wsa\):any:*:*:*:*:*:*:* |
cisco | email_security_appliance | any | cpe:2.3:h:cisco:email_security_appliance:any:*:*:*:*:*:*:* |
cisco | content_security_management_appliance | any | cpe:2.3:h:cisco:content_security_management_appliance:any:*:*:*:*:*:*:* |