CVE-2016-9212

Name of the Vulnerable Software and Affected Versions Cisco Web Security Appliances versions 9.0.1-162 through 9.1.1-074

Description A vulnerability in the Decrypt for End-User Notification configuration parameter could allow an unauthenticated, remote attacker to connect to a secure website over Secure Sockets Layer (SSL) or Transport Layer Security (TLS), even if the WSA is configured to block connections to the website. This issue affects devices with HTTPS decryption options enabled and configured to block certain websites.

Recommendations For versions 9.0.1-162 through 9.1.1-074, consider disabling the HTTPS decryption options as a temporary workaround until a patch is available. Restrict access to the Decrypt for End-User Notification configuration parameter to minimize the risk of exploitation. Avoid using the Decrypt for End-User Notification feature in the affected configuration until the issue is resolved.