CVE-2015-4550

Name of the Vulnerable Software and Affected Versions Cisco Adaptive Security Appliance (ASA) versions 9.3(3) through 9.4(1.1)

Description The issue is related to errors in cryptographic transformations in the Cisco ASA cryptographic module. This could allow a remote attacker to gain access to traffic transmitted over IPSec and IKEv2 protocols by conducting a "man-in-the-middle" attack. The vulnerability makes it easier for attackers to spoof IPSec and IKEv2 traffic by modifying packet data without being detected. The problem lies in the Cavium cryptographic-module firmware not verifying the AES-GCM Integrity Check Value (ICV) octets.

Recommendations For versions 9.3(3) and 9.4(1.1), consider disabling the AES-GCM code as a temporary workaround until a patch is available. Restrict access to the IPSec and IKEv2 protocols to minimize the risk of exploitation. Avoid using the AES-GCM encryption method in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.