CVE-2022-20742Missing Cryptographic Step in Cisco Adaptive Security Appliance Software

CWE-325Missing Cryptographic Step4 documents4 sources
Severity
7.4HIGHNVD
EPSS
0.1%
top 67.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cisco Adaptive Security Appliance SoftwareCisco Firepower Threat DefenseCisco Adaptive Security Appliance Software
Timeline
PublishedMay 3
Latest updateMay 4

Description

A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel. This vulnerability is due to an improper implementation of Galois/Counter Mode (GCM) ciphers. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a sufficient number of encrypted messages across an affected IPsec

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

NVDcisco/firepower_threat_defense6.5.06.6.5.2+3

🔴Vulnerability Details

2
GHSA
GHSA-m7xj-7gmx-xmr5: A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could al2022-05-04
CVEList
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability2022-05-03

📋Vendor Advisories

1
Cisco
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability2022-04-27
CVE-2022-20742 — Missing Cryptographic Step in Cisco | cvebase