Key management errors in Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software

1) Key management errors

EUVDB-ID: #VU73975

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20107

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a cryptographic collision.

The vulnerability exists due to insufficient entropy in the deterministic random bit generator (DRBG) for the affected hardware platforms when generating cryptographic keys. A remote attacker can generate a large number of cryptographic keys, discover the private key and decrypt traffic that is sent to or from the target device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adaptive Security Appliance 5506-X: All versions

Adaptive Security Appliance 5506H-X: All versions

Adaptive Security Appliance 5506W-X: All versions

Adaptive Security Appliance 5508-X: All versions

Adaptive Security Appliance 5516-X: All versions

Cisco Adaptive Security Appliance (ASA): before 9.12.1

Cisco Firepower Threat Defense (FTD): before 6.4.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa5500x-entropy-6v9bHVYP

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.