cbcvebase.
CVE-2017-12373
published 2017-12-15

CVE-2017-12373: A vulnerability in the TLS protocol implementation of legacy Cisco ASA 5500 Series (ASA 5505, 5510, 5520, 5540, and 5550) devices could allow an…

PriorityP342medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
12.80%
95.8th percentile
A vulnerability in the TLS protocol implementation of legacy Cisco ASA 5500 Series (ASA 5505, 5510, 5520, 5540, and 5550) devices could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack. An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions. Cisco Bug IDs: CSCvg97652.

Detection & IOCsextracted from sources · hover to see the quote

  • Detect iterative TLS RSA key exchange connections from a single source — exploitation requires hundreds of thousands to millions of TLS connections to the target server
  • Scope detection to legacy Cisco ASA 5500 Series devices (ASA 5505, 5510, 5520, 5540, 5550) acting as TLS servers using RSA key exchange — these are the affected endpoints for CVE-2017-12373 (Bug ID CSCvg97652)
  • Alert on unauthenticated remote sources repeatedly initiating TLS handshakes with RSA key exchange to the same server — this is the prerequisite attacker action for a ROBOT (Return of Bleichenbacher's Oracle Threat) attack
  • ·Exploitation requires a two-phase attack: passive traffic capture AND active iterative TLS connection establishment. Detection of either phase alone is insufficient to confirm exploitation.
  • ·CVE-2017-12373 is specifically scoped to legacy ASA 5500 Series hardware (5505, 5510, 5520, 5540, 5550); other Cisco products are tracked under separate Bug IDs (CSCvg74693, CSCvh00296) and may have different fix availability.

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_cisco5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.