Guest

Preview Tool

Cisco Bug: CSCus15224 - Cisco RV042 Deterministic TLS Public Key Vulnerability

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Small Business RV Series Routers

Known Affected Releases

4.0.2.8-tm

Description (partial)

Symptoms:
A vulnerability in the HTTPS session key exchange process of the Cisco RV042 Dual WAN VPN Router could allow an unauthenticated, remote attacker
to to obtain the key pair used in the TLS session from the affected device..

The vulnerability is due to insufficient sources of entropy used by the random number generator. An attacker could exploit this vulnerability by
gathering large amounts of TLS handshake data to predict the random numbers generated for the key pair. An exploit could allow the attacker to
decrypt session data between a host and the affected device.

Conditions:
Device running a default configuration with an affected version of software.

Related Community Discussions

RV042 w/ firmware 4.2.3.06 "Server has a weak ephemeral Dillie-Heffman public key"
Hi, I'm running out of browsers that will allow me to connect to the RV042 web admin UI due to the SSL implementation on the RV042. The newest versions of Chrome and Firefox are refusing to connect and cannot be overridden. The official error is "ERR_SSL_WEAK_EPHEMERAL_DH_KEY" and the Chrome support doc is https://support.google.com/chrome/answer/6098869?p=dh_error&rd=1#DHkey. Please tell me that Cisco is planning to address this asap. Thanks.   John
Latest activity: Nov 26, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.