To exploit this vulnerability, the attacker must be in a position to control the TLS handshake and be able to send crafted messages to the affected device. There is no workaround for this vulnerability. Customers can protect themselves by upgrading to the latest software version, applying the recommendations in this advisory, and disabling Bleichenbacher protection as described in the following section. Exploitation of this vulnerability requires that an attacker be in a position to send crafted TLS messages to the targeted device. There are a number of ways an attacker could try to send such messages, such as by sniffing the network or by injecting malicious code into web-based management interfaces.
An attacker must be in a position to send crafted messages in order to exploit this vulnerability. Therefore, it is most likely to occur in production environments where the affected device is connected directly to the network and management systems are not filtered through a router. Cisco recommends monitoring network traffic for signs of an attempted exploit and taking active measures to prevent an exploit, such as filtering management traffic through a firewall.
References
An attacker must be in a position to send crafted messages in order to exploit this vulnerability. Therefore, it is most likely to occur in production environments where the affected device is connected directly to the network and management systems are not filtered through a router. Cisco recommends monitoring network traffic for signs of an attempted exploit and taking active measures to prevent an exploit, such as filtering management traffic through a firewall.
http://www.cisco.com/c/en/us/products/security-products/identification-and-response-systems/ios-edge-security-systems/protevangelistm101225aia_sl2_device_management_deviceshield.html
Mitigation Technologies
There are no known workarounds or mitigations for this vulnerability.
This vulnerability is only exposed when a device connects directly to the network and management systems are not filtered through a router. Cisco recommends monitoring network traffic for signs of an attempted exploit, and taking active measures to prevent an exploit such as filtering management traffic through a firewall.
Bleichenbacher Protection
The most effective mitigation against Bleichenbacher-style attacks is disabling Bleichenbacher protection. This can be done by the following methods:
- Disabling the TLS pre-shared key (PSK) in the security appliance's crypto map configuration
- Disabling the use of RSA keys when negotiating TLS with clients configured in a crypto map
Known Issues
This vulnerability is a denial-of-service (DoS) attack. Customers should be cautious about implementing this workaround because the attacker could execute arbitrary code on the device if the exploit succeeds.
The CVE-2022-20940 advisory contains known issues. The most notable issue is that customers must be cautious about implementing this workaround because the attacker could execute arbitrary code on the device if the exploit succeeds.
Mitigation Measures for Vulnerabilities
There are mitigation measures that Cisco can provide for customers who have this vulnerability. They include the following:
- Upgrading to the latest software version
- Applying the recommendations in this advisory
- Disabling Bleichenbacher protection as described in the following section
- Monitoring network traffic for signs of an attempted exploit and taking active measures to prevent an exploit, such as filtering management traffic through a firewall.
Timeline
Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/22/2022 14:47:00 UTC