#VU66391 Observable discrepancy in Cisco Systems, Inc products - CVE-2022-20866
Published: August 11, 2022 / Updated: August 11, 2022
Vulnerability identifier: #VU66391
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2022-20866
CWE-ID: CWE-203
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Cisco Adaptive Security Appliance (ASA)
Cisco Firewall Threat Defense (FTD)
Firepower 9300 Series Security Appliances
ASA 5506-X with FirePOWER Services
ASA 5506H-X with FirePOWER Services
ASA 5506W-X with FirePOWER Services
ASA 5508-X with FirePOWER Services
ASA 5516-X with FirePOWER Services
Firepower 1000 Series Next-Generation Firewall
Firepower 2100 Series Security Appliances
Firepower 4100 Series Security Appliances
Secure Firewall 3100
Cisco Adaptive Security Appliance (ASA)
Cisco Firewall Threat Defense (FTD)
Firepower 9300 Series Security Appliances
ASA 5506-X with FirePOWER Services
ASA 5506H-X with FirePOWER Services
ASA 5506W-X with FirePOWER Services
ASA 5508-X with FirePOWER Services
ASA 5516-X with FirePOWER Services
Firepower 1000 Series Next-Generation Firewall
Firepower 2100 Series Security Appliances
Firepower 4100 Series Security Appliances
Secure Firewall 3100
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. A remote attacker can perform a Lenstra side-channel attack and retrieve the RSA private key.
Remediation
Install updates from vendor's website.