QID 317183

Date Published: 2023-05-02

QID 317183: Cisco Adaptive Security Appliance (ASA) Software IPsec IKEv2 Virtual Private Network (VPN) Information Disclosure Vulnerability (cisco-sa-asaftd-ipsec-mitm-CKnLr4)

A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel.

Affected Products
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco ASA Software and have an IPsec IKEv2 VPN (either Remote Access or LAN-to-LAN) using a GCM cipher configured:

QID Detection Logic (Authenticated):
The check matches Cisco ASA OS version retrieved via Unix Auth using "version" command.

A successful exploit could allow the attacker to decrypt, read, modify, and re-encrypt data that is transmitted across an affected IPsec IKEv2 VPN tunnel.

  • CVSS V3 rated as High - 7.4 severity.
  • CVSS V2 rated as Medium - 5.8 severity.
    • Solution

    Customers are advised to refer to cisco-sa-asaftd-ipsec-mitm-CKnLr4 for more information.Workaround:
    To remove the attack vector for this vulnerability, reconfigure all existing IPsec IKEv2 proposals to use a non-GCM cipher. For example, if you have the following IPsec IKEv2 proposal configured: firewall# show running-config crypto ipsec crypto ipsec ikev2 ipsec-proposal AES-GCM protocol esp encryption aes-gcm protocol esp integrity null Reconfigure that as follows: firewall# configure terminal firewall(config)# crypto ipsec ikev2 ipsec-proposal AES-GCM firewall(config-ipsec-proposal)# protocol esp integrity sha-256 WARNING: GCM\GMAC are authenticated encryption algorithms.esp integrity config is ignored firewall(config-ipsec-proposal)# protocol esp encryption aes-256 firewall# show running-config crypto ipsec crypto ipsec ikev2 ipsec-proposal AES-GCM protocol esp encryption aes-256 protocol esp integrity sha-256 Note: GCM ciphers are inherently authenticated, thus the configured integrity algorithm is ignored for these ciphers and the null cipher is recommended. When changing to a non-GCM cipher, first configure a valid integrity algorithm as well.

    Vendor References

    CVEs related to QID 317183

    CVE-2022-20742 |
    Software Advisories
    Advisory ID Software Component Link
    cisco-sa-asaftd-ipsec-mitm-CKnLr4 URL Logo tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipsec-mitm-CKnLr4
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].