CVE-2019-12621

CWE-320 CWE-327 — Broken Cryptographic Algorithm4 documents4 sources

Severity

7.4HIGH

EPSS

0.1%

top 80.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Cisco Hyperflex Hx-series Cisco Hyperflex Hx220c AF M5 Firmware Cisco Hyperflex Hx220c Edge M5 Firmware +3 more

Timeline

PublishedAug 21

Latest updateMay 24

Description

A vulnerability in Cisco HyperFlex Software could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack. The vulnerability is due to insufficient key management. An attacker could exploit this vulnerability by obtaining a specific encryption key for the cluster. A successful exploit could allow the attacker to perform a man-in-the-middle attack against other nodes in the cluster.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5cisco/cisco_hyperflex_hx-seriesunspecified — 4.0(1a)

▶NVDcisco/hyperflex_hx220c_m5_firmware3.0\(1a\), 3.5\(2a\)+1

▶NVDcisco/hyperflex_hx240c_m5_firmware3.0\(1a\), 3.5\(2a\)+1

▶NVDcisco/hyperflex_hx220c_af_m5_firmware3.0\(1a\), 3.5\(2a\)+1

▶NVDcisco/hyperflex_hx240c_af_m5_firmware3.0\(1a\), 3.5\(2a\)+1

🔴Vulnerability Details

GHSA

GHSA-mghj-97x2-4v8w: A vulnerability in Cisco HyperFlex Software could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack↗2022-05-24

▶

CVEList

Cisco HyperFlex Static SSL Key Vulnerability↗2019-08-21

▶

📋Vendor Advisories

Cisco

Cisco HyperFlex Static SSL Key Vulnerability↗2019-08-21

▶