Nadia Heninger

Name of the Vulnerable Software and Affected Versions: RADIUS Protocol (affected versions not specified) FreeRadius (affected versions not specified) Palo Alto Networks PAN-OS (affected versions not specified) eduMFA prior version 2.2.0 Description: The RADIUS protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. This vulnerability allows an attacker performing a meddler-in-the-middle attack between a RADIUS client and server to bypass authentication and escalate privileges. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Recommendations: For RADIUS Protocol: Update the protocol to use a secure authentication method, such as a hashed message authentication code (HMAC) or a digital signature. For FreeRadius: Update to a version that includes a fix for this vulnerability. For Palo Alto Networks PAN-OS: Update the RADIUS server profile to use a secure authentication protocol, such as TLS, and ensure that CHAP or PAP is not used unless encapsulated by an encrypted tunnel. For eduMFA: Update to version 2.2.0 or later. As a temporary workaround, consider restricting access to the RADIUS server and limiting the use of vulnerable protocols, such as CHAP or PAP, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance (ASA) Software versions 9.16.1 and later Cisco Firepower Threat Defense (FTD) Software versions 7.0.0 and later **Description** A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key. This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. Approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software are expected to be affected. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. **Recommendations** For Cisco Adaptive Security Appliance (ASA) Software versions 9.16.1 and later, administrators may need to remove improperly formed or vulnerable RSA keys and likely revoke any certificates associated with these keys. For Cisco Firepower Threat Defense (FTD) Software versions 7.0.0 and later, administrators may need to remove improperly formed or vulnerable RSA keys and likely revoke any certificates associated with these keys. As a temporary workaround, consider disabling the use of RSA keys on affected devices until a patch is available.

**Name of the Vulnerable Software and Affected Versions** STMicroelectronics ST33TPHF2ESPI TPM devices versions prior to 2019-09-12 **Description** The issue is related to a side-channel timing attack that allows attackers to extract the ECDSA private key due to mishandled ECDSA scalar multiplication. This vulnerability is associated with defects in the cryptographic algorithms used in the TPM processor's firmware. An attacker can exploit this issue to recover the value of closed keys stored in the Trusted Platform Module. **Recommendations** For versions prior to 2019-09-12, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel(R) PTT versions prior to 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0, and 14.0.10 Intel(R) TXE versions prior to 3.1.70 and 4.0.20 Intel(R) SPS versions prior to SPS E5 04.01.04.305.0, SPS SoC-X 04.00.04.108.0, SPS SoC-A 04.00.04.191.0, SPS E3 04.01.04.086.0, and SPS E3 04.08.04.047.0 **Description** The issue is related to cryptographic timing conditions in the Intel(R) PTT, Intel(R) TXE, and Intel(R) SPS subsystems, which may allow an unauthenticated user to potentially enable information disclosure via network access. This vulnerability is associated with a lack of protection for service data and may allow a remote attacker to access cryptographic keys stored in the Trusted Platform Module (TPM). **Recommendations** For Intel(R) PTT versions prior to 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0, and 14.0.10, update to the respective fixed versions or later. For Intel(R) TXE versions prior to 3.1.70 and 4.0.20, update to the respective fixed versions or later. For Intel(R) SPS versions prior to SPS E5 04.01.04.305.0, SPS SoC-X 04.00.04.108.0, SPS SoC-A 04.00.04.191.0, SPS E3 04.01.04.086.0, and SPS E3 04.08.04.047.0, update to the respective fixed versions or later. As a temporary workaround, consider restricting access to the Trusted Platform Module (TPM) to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libgcrypt versions prior to 1.7.8 **Description** The issue is related to a cache side-channel attack that can lead to a complete break of RSA-1024 and potentially RSA-2048 with increased computation. This attack requires the ability to run arbitrary software on the hardware where the private RSA key is used, allowing a local attacker to compromise data confidentiality by fully recovering the RSA key using the left-to-right method for computing the sliding-window expansion. **Recommendations** For libgcrypt versions prior to 1.7.8, update to version 1.7.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D versions prior to V6.00.046 Siemens Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U versions prior to V6.00.046 **Description** The issue is related to the use of a pseudo random number generator with insufficient entropy to generate certificates for HTTPS. This could potentially allow remote attackers to reconstruct the corresponding private key. **Recommendations** For versions prior to V6.00.046, update the firmware to version V6.00.046 or later to address the issue. As a temporary workaround, consider restricting access to the HTTPS interface until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Huawei S7700, S9300, S9700, and S12700 devices with software before V200R008C00SPC500 **Description** The issue concerns the generation of self-signed certificates in certain Huawei devices. These devices use random numbers with insufficient entropy, making it easier for remote attackers to discover private keys by leveraging knowledge of a certificate. This could potentially allow an attacker to compromise the certificates, as different devices' certificates may use the same random number. **Recommendations** For Huawei S7700, S9300, S9700, and S12700 devices with software before V200R008C00SPC500, update to V200R008C00SPC500 or later to resolve the issue. As a temporary workaround, consider restricting access to self-signed certificates until a patch is available. Avoid using self-signed certificates in sensitive environments until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11.5 **Description** The issue is related to the lack of protection for internal data in the Tcl component of the operating system. It can be exploited by a remote attacker to obtain sensitive information by leveraging SSLv2 support. **Recommendations** For Apple OS X versions prior to 10.11.5, update to version 10.11.5 or later to resolve the issue. As a temporary workaround, consider disabling SSLv2 support to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.1 through 1.0.1s OpenSSL versions 1.0.2 through 1.0.2g **Description** The issue is related to the MOD EXP CTIME COPY FROM PREBUF function in OpenSSL, which does not properly consider cache-bank access times during modular exponentiation. This makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, also known as a "CacheBleed" attack. The vulnerability allows attackers to recover RSA keys via a side-channel attack. **Recommendations** For OpenSSL versions 1.0.1 through 1.0.1s, update to version 1.0.1s or later. For OpenSSL versions 1.0.2 through 1.0.2g, update to version 1.0.2g or later. As a temporary workaround, consider restricting access to the MOD EXP CTIME COPY FROM PREBUF function until a patch is available. Avoid using the `MOD EXP CTIME COPY FROM PREBUF` function in the affected OpenSSL versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Moxa OnCell Gateway versions prior to 1.4 **Description** The issue is related to insufficient entropy for SSH and SSL keys, making it easier for remote attackers to gain access by leveraging knowledge of a key from another product installation. **Recommendations** For versions prior to 1.4, update the firmware to version 1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Innominate mGuard Smart HW versions before HW-101130 Innominate mGuard BD versions before BD-101030 Innominate mGuard industrial RS (affected versions not specified) Innominate mGuard delta HW versions before HW-103060 Innominate mGuard delta BD versions before BD-211010 Innominate mGuard PCI (affected versions not specified) Innominate mGuard blade (affected versions not specified) Innominate EAGLE mGuard appliances with software versions prior to 7.5.0 **Description** The issue is related to insufficient entropy for private keys, making it easier for man-in-the-middle attackers to spoof HTTPS or SSH servers by predicting a key value. **Recommendations** For Innominate mGuard Smart HW versions before HW-101130, update to a version after HW-101130. For Innominate mGuard BD versions before BD-101030, update to a version after BD-101030. For Innominate mGuard industrial RS, Innominate mGuard PCI, and Innominate mGuard blade, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Innominate mGuard delta HW versions before HW-103060, update to a version after HW-103060. For Innominate mGuard delta BD versions before BD-211010, update to a version after BD-211010. For Innominate EAGLE mGuard appliances with software versions prior to 7.5.0, update to software version 7.5.0 or later.