Nadia Heninger

Nome do software vulnerável e versões afetadas: Protocolo RADIUS (versões afetadas não especificadas) FreeRadius (versões afetadas não especificadas) Palo Alto Networks PAN-OS (versões afetadas não especificadas) eduMFA anterior à versão 2.2.0 Descrição: O protocolo RADIUS, conforme a RFC 2865, é suscetível a ataques de falsificação por um invasor local, que pode modificar qualquer resposta válida (Access-Accept, Access-Reject ou Access-Challenge) para qualquer outra resposta, utilizando um ataque de colisão de prefixo escolhido contra a assinatura do autenticador de resposta MD5. Essa vulnerabilidade permite que um invasor realize um ataque man-in-the-middle entre um cliente e um servidor RADIUS para contornar a autenticação e escalar privilégios. O número estimado de dispositivos potencialmente afetados em todo o mundo não foi especificado. Não há informações sobre incidentes reais em que essa vulnerabilidade tenha sido explorada. Recomendações: Para o Protocolo RADIUS: Atualize o protocolo para usar um método de autenticação seguro, como um código de autenticação de mensagem com hash (HMAC) ou uma assinatura digital. Para o FreeRadius: Atualize para uma versão que inclua uma correção para essa vulnerabilidade. Para o Palo Alto Networks PAN-OS: atualize o perfil do servidor RADIUS para usar um protocolo de autenticação seguro, como o TLS, e certifique-se de que o CHAP ou o PAP não sejam usados, a menos que encapsulados por um túnel criptografado. Para o eduMFA: atualize para a versão 2.2.0 ou posterior. Como solução alternativa temporária, considere restringir o acesso ao servidor RADIUS e limitar o uso de protocolos vulneráveis, como o CHAP ou

**Nome do software vulnerável e versões afetadas** Software Cisco Adaptive Security Appliance (ASA) versões 9.16.1 e posteriores Software Cisco Firepower Threat Defense (FTD) versões 7.0.0 e posteriores **Descrição** Uma vulnerabilidade no tratamento de chaves RSA em dispositivos que executam o software Cisco Adaptive Security Appliance (ASA) e o software Cisco Firepower Threat Defense (FTD) pode permitir que um invasor remoto não autenticado recupere uma chave privada RSA. Essa vulnerabilidade se deve a um erro de lógica quando a chave RSA é armazenada na memória em uma plataforma de hardware que realiza criptografia baseada em hardware. Um invasor poderia explorar essa vulnerabilidade usando um ataque de canal lateral Lenstra contra o dispositivo visado. Estima-se que aproximadamente 5% das chaves RSA em um dispositivo que esteja executando uma versão vulnerável do software Cisco ASA ou do software Cisco FTD sejam afetadas. Se um invasor obtiver a chave privada RSA, ele poderá usá-la para se passar por um dispositivo que esteja executando o software Cisco ASA ou o software Cisco FTD ou para descriptografar o tráfego do dispositivo. **Recomendações** Para as versões 9.16.1 e posteriores do Cisco Adaptive Security Appliance (ASA) Software, os administradores podem precisar remover chaves RSA formadas incorretamente ou vulneráveis e, provavelmente, revogar quaisquer certificados associados a essas chaves. Para as versões 7.0.0 e posteriores do Cisco Firepower Threat Defense (FTD) Software, os administradores podem precisar remover chaves RSA formadas incorretamente ou vulneráveis e, provavelmente, revogar quaisquer certificados associados

**Name of the Vulnerable Software and Affected Versions** STMicroelectronics ST33TPHF2ESPI TPM devices versions prior to 2019-09-12 **Description** The issue is related to a side-channel timing attack that allows attackers to extract the ECDSA private key due to mishandled ECDSA scalar multiplication. This vulnerability is associated with defects in the cryptographic algorithms used in the TPM processor's firmware. An attacker can exploit this issue to recover the value of closed keys stored in the Trusted Platform Module. **Recommendations** For versions prior to 2019-09-12, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel(R) PTT versions prior to 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0, and 14.0.10 Intel(R) TXE versions prior to 3.1.70 and 4.0.20 Intel(R) SPS versions prior to SPS E5 04.01.04.305.0, SPS SoC-X 04.00.04.108.0, SPS SoC-A 04.00.04.191.0, SPS E3 04.01.04.086.0, and SPS E3 04.08.04.047.0 **Description** The issue is related to cryptographic timing conditions in the Intel(R) PTT, Intel(R) TXE, and Intel(R) SPS subsystems, which may allow an unauthenticated user to potentially enable information disclosure via network access. This vulnerability is associated with a lack of protection for service data and may allow a remote attacker to access cryptographic keys stored in the Trusted Platform Module (TPM). **Recommendations** For Intel(R) PTT versions prior to 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0, and 14.0.10, update to the respective fixed versions or later. For Intel(R) TXE versions prior to 3.1.70 and 4.0.20, update to the respective fixed versions or later. For Intel(R) SPS versions prior to SPS E5 04.01.04.305.0, SPS SoC-X 04.00.04.108.0, SPS SoC-A 04.00.04.191.0, SPS E3 04.01.04.086.0, and SPS E3 04.08.04.047.0, update to the respective fixed versions or later. As a temporary workaround, consider restricting access to the Trusted Platform Module (TPM) to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libgcrypt versions prior to 1.7.8 **Description** The issue is related to a cache side-channel attack that can lead to a complete break of RSA-1024 and potentially RSA-2048 with increased computation. This attack requires the ability to run arbitrary software on the hardware where the private RSA key is used, allowing a local attacker to compromise data confidentiality by fully recovering the RSA key using the left-to-right method for computing the sliding-window expansion. **Recommendations** For libgcrypt versions prior to 1.7.8, update to version 1.7.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D versions prior to V6.00.046 Siemens Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U versions prior to V6.00.046 **Description** The issue is related to the use of a pseudo random number generator with insufficient entropy to generate certificates for HTTPS. This could potentially allow remote attackers to reconstruct the corresponding private key. **Recommendations** For versions prior to V6.00.046, update the firmware to version V6.00.046 or later to address the issue. As a temporary workaround, consider restricting access to the HTTPS interface until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Huawei S7700, S9300, S9700, and S12700 devices with software before V200R008C00SPC500 **Description** The issue concerns the generation of self-signed certificates in certain Huawei devices. These devices use random numbers with insufficient entropy, making it easier for remote attackers to discover private keys by leveraging knowledge of a certificate. This could potentially allow an attacker to compromise the certificates, as different devices' certificates may use the same random number. **Recommendations** For Huawei S7700, S9300, S9700, and S12700 devices with software before V200R008C00SPC500, update to V200R008C00SPC500 or later to resolve the issue. As a temporary workaround, consider restricting access to self-signed certificates until a patch is available. Avoid using self-signed certificates in sensitive environments until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11.5 **Description** The issue is related to the lack of protection for internal data in the Tcl component of the operating system. It can be exploited by a remote attacker to obtain sensitive information by leveraging SSLv2 support. **Recommendations** For Apple OS X versions prior to 10.11.5, update to version 10.11.5 or later to resolve the issue. As a temporary workaround, consider disabling SSLv2 support to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.1 through 1.0.1s OpenSSL versions 1.0.2 through 1.0.2g **Description** The issue is related to the MOD EXP CTIME COPY FROM PREBUF function in OpenSSL, which does not properly consider cache-bank access times during modular exponentiation. This makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, also known as a "CacheBleed" attack. The vulnerability allows attackers to recover RSA keys via a side-channel attack. **Recommendations** For OpenSSL versions 1.0.1 through 1.0.1s, update to version 1.0.1s or later. For OpenSSL versions 1.0.2 through 1.0.2g, update to version 1.0.2g or later. As a temporary workaround, consider restricting access to the MOD EXP CTIME COPY FROM PREBUF function until a patch is available. Avoid using the `MOD EXP CTIME COPY FROM PREBUF` function in the affected OpenSSL versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Moxa OnCell Gateway versions prior to 1.4 **Description** The issue is related to insufficient entropy for SSH and SSL keys, making it easier for remote attackers to gain access by leveraging knowledge of a key from another product installation. **Recommendations** For versions prior to 1.4, update the firmware to version 1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Innominate mGuard Smart HW versions before HW-101130 Innominate mGuard BD versions before BD-101030 Innominate mGuard industrial RS (affected versions not specified) Innominate mGuard delta HW versions before HW-103060 Innominate mGuard delta BD versions before BD-211010 Innominate mGuard PCI (affected versions not specified) Innominate mGuard blade (affected versions not specified) Innominate EAGLE mGuard appliances with software versions prior to 7.5.0 **Description** The issue is related to insufficient entropy for private keys, making it easier for man-in-the-middle attackers to spoof HTTPS or SSH servers by predicting a key value. **Recommendations** For Innominate mGuard Smart HW versions before HW-101130, update to a version after HW-101130. For Innominate mGuard BD versions before BD-101030, update to a version after BD-101030. For Innominate mGuard industrial RS, Innominate mGuard PCI, and Innominate mGuard blade, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Innominate mGuard delta HW versions before HW-103060, update to a version after HW-103060. For Innominate mGuard delta BD versions before BD-211010, update to a version after BD-211010. For Innominate EAGLE mGuard appliances with software versions prior to 7.5.0, update to software version 7.5.0 or later.