Home Unlabelled Cisco Security Appliances AsyncOS Software Update Server Certificate Validation Vulnerability

Cisco Security Appliances AsyncOS Software Update Server Certificate Validation Vulnerability

By
Wednesday, December 07, 2016
Read
Add Comment
A vulnerability in the update functionality of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Content Management Security Appliance (SMA) could allow an unauthenticated, remote attacker to impersonate the update server.

The vulnerability is due to a lack of certificate validation during the HTTPS connection toward the repository from which the update manifests are retrieved. An attacker could exploit this vulnerability by performing a man-in-the-middle attack (such as DNS hijacking) and impersonating the update server.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
http://ift.tt/2hgMxoC A vulnerability in the update functionality of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Content Management Security Appliance (SMA) could allow an unauthenticated, remote attacker to impersonate the update server.

The vulnerability is due to a lack of certificate validation during the HTTPS connection toward the repository from which the update manifests are retrieved. An attacker could exploit this vulnerability by performing a man-in-the-middle attack (such as DNS hijacking) and impersonating the update server.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
http://ift.tt/2hgMxoC
Security Impact Rating: Medium
CVE: CVE-2016-1411

from Cisco Security Advisory http://ift.tt/2hgMxoC
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us