Vulnerability Name:

CVE-2022-20742 (CCN-225286)

Assigned:2021-11-02
Published:2022-04-27
Updated:2022-05-13
Summary:A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel. This vulnerability is due to an improper implementation of Galois/Counter Mode (GCM) ciphers. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a sufficient number of encrypted messages across an affected IPsec IKEv2 VPN tunnel and then using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to decrypt, read, modify, and re-encrypt data that is transmitted across an affected IPsec IKEv2 VPN tunnel.
CVSS v3 Severity:7.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
7.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2022-20742

Source: XF
Type: UNKNOWN
cisco-asa-cve202220742-info-disc(225286)

Source: CCN
Type: Cisco Security Advisory cisco-sa-asaftd-ipsec-mitm-CKnLr4
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability

Source: CISCO
Type: Vendor Advisory
20220427 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:firepower_threat_defense:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:* (Version >= 6.5.0 and < 6.6.5.2)
  • OR cpe:/a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:* (Version < 6.4.0.15)
  • OR cpe:/a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:* (Version >= 7.0.0 and < 7.0.2)
  • OR cpe:/o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* (Version >= 9.17.0 and < 9.17.1.7)
  • OR cpe:/o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* (Version >= 9.16.0 and < 9.16.2.14)
  • OR cpe:/o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* (Version >= 9.15.0 and < 9.15.1.21)
  • OR cpe:/o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* (Version < 9.12.4.38)
  • OR cpe:/o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* (Version >= 9.13.0 and < 9.14.4)

    • * Denotes that component is vulnerable
    BACK
    cisco firepower threat defense 7.1.0
    cisco firepower threat defense *
    cisco firepower threat defense *
    cisco firepower threat defense *
    cisco adaptive security appliance software *
    cisco adaptive security appliance software *
    cisco adaptive security appliance software *
    cisco adaptive security appliance software *
    cisco adaptive security appliance software *