CVE-2019-1672 - OpenCVE

A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cisco	Web Security Appliance

Configuration 1 [-]

OR	cpe:2.3:a:cisco:web_security_appliance:10.1.0-204:::::::*
	cpe:2.3:a:cisco:web_security_appliance:10.5.2-072:::::::*
	cpe:2.3:a:cisco:web_security_appliance:11.5.1-fcs-115:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/106904	Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-wsa-bypass	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cisco

Published: 2019-02-06T00:00:00

Updated: 2019-02-09T10:57:01

Reserved: 2018-12-06T00:00:00

Link: CVE-2019-1672

JSON object: View

NVD Information

Status : Modified

Published: 2019-02-08T18:29:00.283

Modified: 2019-10-09T23:47:41.157

Link: CVE-2019-1672

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"containers": {"cna": {"affected": [{"product": "Cisco Web Security Appliance (WSA) ", "vendor": "Cisco", "versions": [{"status": "affected", "version": "10.1"}, {"status": "affected", "version": "10.5"}]}], "datePublic": "2019-02-06T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-02-09T10:57:01", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20190206 Cisco Web Security Appliance Decryption Policy Bypass Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-wsa-bypass"}, {"name": "106904", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106904"}], "source": {"advisory": "cisco-sa-20190206-wsa-bypass", "defect": [["CSCvm91630"]], "discovery": "INTERNAL"}, "title": "Cisco Web Security Appliance Decryption Policy Bypass Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2019-02-06T16:00:00-0800", "ID": "CVE-2019-1672", "STATE": "PUBLIC", "TITLE": "Cisco Web Security Appliance Decryption Policy Bypass Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Web Security Appliance (WSA) ", "version": {"version_data": [{"version_value": "10.1"}, {"version_value": "10.5"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "impact": {"cvss": {"baseScore": "5.8", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N ", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400"}]}]}, "references": {"reference_data": [{"name": "20190206 Cisco Web Security Appliance Decryption Policy Bypass Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-wsa-bypass"}, {"name": "106904", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106904"}]}, "source": {"advisory": "cisco-sa-20190206-wsa-bypass", "defect": [["CSCvm91630"]], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2019-1672", "datePublished": "2019-02-06T00:00:00", "dateReserved": "2018-12-06T00:00:00", "dateUpdated": "2019-02-09T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:web_security_appliance:10.1.0-204:*:*:*:*:*:*:*", "matchCriteriaId": "AC71F9F5-B0BA-4415-A4C8-9D0B15732A54", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:web_security_appliance:10.5.2-072:*:*:*:*:*:*:*", "matchCriteriaId": "B8F218D6-2AF8-449B-8016-E0B8AAA362D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:web_security_appliance:11.5.1-fcs-115:*:*:*:*:*:*:*", "matchCriteriaId": "12479145-9933-4FB8-A479-AFB8A2C526EA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected."}, {"lang": "es", "value": "Una vulnerabilidad en la funcionalidad Decryption Policy Default Action de Cisco Web Security Appliance (WSA) podr\u00eda permitir que un atacante remoto no autenticado omita una pol\u00edtica de anulaci\u00f3n configurada y permita el tr\u00e1fico en la red que deber\u00eda no estar permitido. Esta vulnerabilidad se debe a la gesti\u00f3n inadecuada del tr\u00e1fico cifrado por SSL cuando las notificaciones \"Decrypt for End-User\" est\u00e1n deshabilitadas en la configuraci\u00f3n. Un atacante podr\u00eda explotar esta vulnerabilidad enviando una conexi\u00f3n SSL a trav\u00e9s de un dispositivo afectado. Su explotaci\u00f3n con \u00e9xito podr\u00eda permitir que el atacante omita una pol\u00edtica de anulaci\u00f3n configurada para bloquear conexiones SSL concretas. Las versiones 10.1.x y 10.5.x se han visto afectadas."}], "id": "CVE-2019-1672", "lastModified": "2019-10-09T23:47:41.157", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2019-02-08T18:29:00.283", "references": [{"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/106904"}, {"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-wsa-bypass"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}