ID

VAR-201612-0374


CVE

CVE-2016-9212


TITLE

Cisco Web Security For appliance AsyncOS of End-User Notification Vulnerability that prevents block setting in configuration parameters

Trust: 0.8

sources: JVNDB: JVNDB-2016-006308

DESCRIPTION

A vulnerability in the Decrypt for End-User Notification configuration parameter of Cisco AsyncOS Software for Cisco Web Security Appliances could allow an unauthenticated, remote attacker to connect to a secure website over Secure Sockets Layer (SSL) or Transport Layer Security (TLS), even if the WSA is configured to block connections to the website. Affected Products: This vulnerability affects Cisco Web Security Appliances if the HTTPS decryption options are enabled and configured for the device to block connections to certain websites. More Information: CSCvb49012. Known Affected Releases: 9.0.1-162 9.1.1-074. WebSecurityAppliance (WSA) is a product of Cisco Systems Inc., which is a network security device. There is a remote security bypass vulnerability in WebSecurityAppliance. An attacker could exploit this vulnerability to bypass security restrictions and perform unauthorized actions that may be helpful in further attacks. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCvb49012. The appliance provides SaaS-based access control, real-time network reporting and tracking, and security policy formulation. An attacker could exploit this vulnerability by sending a specially crafted HTTP request to access a prohibited website

Trust: 2.52

sources: NVD: CVE-2016-9212 // JVNDB: JVNDB-2016-006308 // CNVD: CNVD-2016-12243 // BID: 94774 // VULHUB: VHN-98032

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-12243

AFFECTED PRODUCTS

vendor:ciscomodel:web security appliancescope:eqversion:9.1.1-074

Trust: 1.6

vendor:ciscomodel:web security appliancescope:eqversion:9.0.1-162

Trust: 1.6

vendor:ciscomodel:asyncosscope: - version: -

Trust: 0.8

vendor:ciscomodel:web security the appliancescope:eqversion:9.0.1-162

Trust: 0.8

vendor:ciscomodel:web security the appliancescope:eqversion:9.1.1-074

Trust: 0.8

vendor:ciscomodel:asyncos softwarescope: - version: -

Trust: 0.6

vendor:ciscomodel:web security appliance allscope: - version: -

Trust: 0.6

vendor:ciscomodel:web security appliancescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:asyncosscope:eqversion: -

Trust: 0.3

sources: CNVD: CNVD-2016-12243 // BID: 94774 // JVNDB: JVNDB-2016-006308 // CNNVD: CNNVD-201612-203 // NVD: CVE-2016-9212

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-9212
value: HIGH

Trust: 1.0

NVD: CVE-2016-9212
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-12243
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201612-203
value: MEDIUM

Trust: 0.6

VULHUB: VHN-98032
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-9212
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-12243
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-98032
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-9212
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-12243 // VULHUB: VHN-98032 // JVNDB: JVNDB-2016-006308 // CNNVD: CNNVD-201612-203 // NVD: CVE-2016-9212

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-98032 // JVNDB: JVNDB-2016-006308 // NVD: CVE-2016-9212

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-203

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201612-203

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-006308

PATCH

title:cisco-sa-20161207-wsa1url:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-wsa1

Trust: 0.8

title:Cisco Web Security Appliance Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66244

Trust: 0.6

sources: JVNDB: JVNDB-2016-006308 // CNNVD: CNNVD-201612-203

EXTERNAL IDS

db:NVDid:CVE-2016-9212

Trust: 3.4

db:BIDid:94774

Trust: 2.6

db:SECTRACKid:1037410

Trust: 1.1

db:JVNDBid:JVNDB-2016-006308

Trust: 0.8

db:CNNVDid:CNNVD-201612-203

Trust: 0.7

db:CNVDid:CNVD-2016-12243

Trust: 0.6

db:VULHUBid:VHN-98032

Trust: 0.1

sources: CNVD: CNVD-2016-12243 // VULHUB: VHN-98032 // BID: 94774 // JVNDB: JVNDB-2016-006308 // CNNVD: CNNVD-201612-203 // NVD: CVE-2016-9212

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161207-wsa1

Trust: 2.0

url:http://www.securityfocus.com/bid/94774

Trust: 1.7

url:http://www.securitytracker.com/id/1037410

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9212

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9212

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161207-wsa

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

sources: CNVD: CNVD-2016-12243 // VULHUB: VHN-98032 // BID: 94774 // JVNDB: JVNDB-2016-006308 // CNNVD: CNNVD-201612-203 // NVD: CVE-2016-9212

CREDITS

Cisco

Trust: 0.9

sources: BID: 94774 // CNNVD: CNNVD-201612-203

SOURCES

db:CNVDid:CNVD-2016-12243
db:VULHUBid:VHN-98032
db:BIDid:94774
db:JVNDBid:JVNDB-2016-006308
db:CNNVDid:CNNVD-201612-203
db:NVDid:CVE-2016-9212

LAST UPDATE DATE

2024-11-23T22:59:26.496000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2016-12243date:2016-12-14T00:00:00
db:VULHUBid:VHN-98032date:2016-12-22T00:00:00
db:BIDid:94774date:2016-12-20T01:08:00
db:JVNDBid:JVNDB-2016-006308date:2016-12-20T00:00:00
db:CNNVDid:CNNVD-201612-203date:2016-12-12T00:00:00
db:NVDid:CVE-2016-9212date:2024-11-21T03:00:48.577

SOURCES RELEASE DATE

db:CNVDid:CNVD-2016-12243date:2016-12-14T00:00:00
db:VULHUBid:VHN-98032date:2016-12-14T00:00:00
db:BIDid:94774date:2016-12-07T00:00:00
db:JVNDBid:JVNDB-2016-006308date:2016-12-20T00:00:00
db:CNNVDid:CNNVD-201612-203date:2016-12-09T00:00:00
db:NVDid:CVE-2016-9212date:2016-12-14T00:59:34.303