Detections
Analytics

Cisco ASA Cavium SDK TLS Incorrect Padding Acceptance Plaintext Disclosure (CSCuu93339)

low Nessus Plugin ID 91426

Language:

Synopsis

The remote device is affected by an information disclosure vulnerability.

Description

The remote Cisco Adaptive Security Appliance (ASA) is missing a vendor-supplied security patch. It is, therefore, affected by a flaw in the TLS 1.x implementation in the Cavium SDK due to a failure to check the first byte of the padding bytes. A man-in-the-middle attacker can exploit this, by sending specially crafted requests to the server, to induce requests that allow determining the plaintext chunks of data. This vulnerability is a variant of the POODLE attack.

Solution

Apply the relevant patch referenced in bug ID CSCuu93339, or contact the vendor.

See Also

https://tools.cisco.com/bugsearch/bug/CSCuu93339

http://www.nessus.org/u?0f38496c

Plugin Details

Severity: Low

ID: 91426

File Name: cisco-sn-CSCuu93339-asa.nasl

Version: 1.6

Type: local

Family: CISCO

Published: 6/1/2016

Updated: 11/14/2019

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:cisco:adaptive_security_appliance_software

Required KB Items: Host/Cisco/ASA, Host/Cisco/ASA/model

Exploit Ease: No known exploits are available

Patch Publication Date: 8/31/2015

Vulnerability Publication Date: 7/14/2015

Reference Information

CVE: CVE-2015-4595

CISCO-BUG-ID: CSCuu93339