Cisco FireSIGHT System Software Convert Timing Channel Vulnerability

A vulnerability in credential authentication for valid and invalid username-password pairs for Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to determine a list of valid usernames for an affected device.

The vulnerability is due to implementation details of how system credentials are verified by the affected software. An attacker could exploit this vulnerability by using a combination of valid system logins, invalid system logins, and time variability to try to continuously authenticate to a device. An exploit could allow the attacker to obtain a list of valid system usernames. The list contains valid usernames only. The list does not contain any associated passwords.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-FireSIGHT1[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-FireSIGHT1”]