Cisco Security Advisory
Multiple Cisco Products Confidential Information Decryption Man-in-the-Middle Vulnerability
AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:UC
-
A vulnerability in the cryptographic implementation of multiple Cisco products could allow an unauthenticated, remote attacker to make use of hard-coded certificate and keys embedded within the firmware of the affected device.
The vulnerability is due to the lack of unique key and certificate generation within affected appliances. An attacker could exploit this vulnerability by using the static information to conduct man-in-the-middle attacks to decrypt confidential information on user connections.
This is an attack on the client attempting to access the device and does not compromise the device itself. To exploit the issue, an attacker needs not only the public and private key pair, but also a privileged position in the network that would allow the attacker to monitor the traffic between client and server, intercept the traffic, and modify or inject the attacker's own traffic. There are no workarounds that address this vulnerability.
Cisco has not released software updates that address this vulnerability.
This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151125-ci
-
Vulnerable Products
The following products are vulnerable:
- RV320 Dual Gigabit WAN VPN Router
- RV325 Dual Gigabit WAN VPN Router
- RVS4000 4-port Gigabit Security Router - VPN
- WRV210 Wireless-G VPN Router - RangeBooster
- WAP4410N Wireless-N Access Point - PoE/Advanced Security
- WRV200 Wireless-G VPN Router - RangeBooster
- WRVS4400N Wireless-N Gigabit Security Router - VPN V2.0
- WAP200 Wireless-G Access Point - PoE/Rangebooster
- WVC2300 Wireless-G Business Internet Video Camera - Audio
- PVC2300 Business Internet Video Camera - Audio/PoE
- SRW224P 24-port 10/100 + 2-port Gigabit Switch - WebView/PoE
- WET200 Wireless-G Business Ethernet Bridge
- WAP2000 Wireless-G Access Point - PoE
- WAP4400N Wireless-N Access Point - PoE
- RV120W Wireless-N VPN Firewall
- RV180 VPN Router
- RV180W Wireless-N Multifunction VPN Router
- RV315W Wireless-N VPN Router
- Small Business SRP520 Models
- Small Business SRP520-U Models
- WRP500 Wireless-AC Broadband Router with 2 Phone Ports
- SPA400 Internet Telephony Gateway with 4 FXO Ports
- RTP300 Broadband Router
- RV220W Wireless Network Security Firewall
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
-
There are no workarounds that address this vulnerability. As a mitigation, customers may want to restrict access to the device's administrative interfaces over SSH and HTTPS to a known, trusted subset of IP addresses.
-
Cisco provides information about fixed software in Cisco bugs, which are accessible through the Cisco Bug Search Tool.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
• RV320 Dual Gigabit WAN VPN Router: Firmware version 1.3.1.12 available
• RV325 Dual Gigabit WAN VPN Router: Firmware version 1.3.1.12 available
• RVS4000 4-port Gigabit Security Router - VPN: No fix will be provided
• WRV210 Wireless-G VPN Router - RangeBooster: No fix will be provided
• WAP4410N Wireless-N Access Point - PoE/Advanced Security: No fix will be provided
• WRV200 Wireless-G VPN Router - RangeBooster: No fix will be provided
• WRVS4400N Wireless-N Gigabit Security Router - VPN V2.0: No fix will be provided
• WAP200 Wireless-G Access Point - PoE/Rangebooster: No fix will be provided
• WVC2300 Wireless-G Business Internet Video Camera - Audio: No fix will be provided
• PVC2300 Business Internet Video Camera - Audio/PoE: No fix will be provided
• SRW224P 24-port 10/100 + 2-port Gigabit Switch - WebView/PoE: No fix will be provided
• WET200 Wireless-G Business Ethernet Bridge: No fix will be provided
• WAP2000 Wireless-G Access Point - PoE: No fix will be provided
• WAP4400N Wireless-N Access Point - PoE: No fix will be provided
• RV120W Wireless-N VPN Firewall: No fix will be provided
• RV180 VPN Router: No fix will be provided: No fix will be provided
• RV180W Wireless-N Multifunction VPN Router: No fix will be provided
• RV315W Wireless-N VPN Router: No fix will be provided
• Small Business SRP520 Models: No fix will be provided
• Small Business SRP520-U Models: No fix will be provided
• WRP500 Wireless-AC Broadband Router: Fix resolved in an Engineering Special (ES). Cisco TAC should be contacted for further information.
• SPA400 Internet Telephony Gateway with 4 FXO Ports: No fix will be provided
• RTP300 Broadband Router: No fix will be provided
• RV220W Wireless Network Security Firewall: No fix will be provided
-
The Cisco Product Security Incident Response Team (PSIRT) is aware the vulnerability described in this advisory has been publicly disclosed by Stefan Viehböck from SEC Consult Vulnerability Lab. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability.
-
Cisco would like to thank Stefan Viehböck from SEC Consult Vulnerability Lab for discovering and reporting this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.4 Updated Fixed Software to include information on an Engineering Special (ES). Fixed Software Final 2016-September-20 1.3 Updated Fixed Software to include information on new software updates. Fixed Software Final 2016-September-13 1.2 Updated the affected products to indicate when fixes will be made available. Affected Products Final 2016-January-21 1.1 Updated the Summary, Exploitation and Public Announcements, and Workarounds sections to clarify the details. Summary, Exploitation and Public Announcements, Workarounds. Final 2015-November-26 1.0 Initial public release - Final 2015-November-25
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.