Vulnslist

find the latest Cisco vulnerabilities

Cisco Web Security Appliance HTTPS Certificate Denial of Service Vulnerability

cisco-sa-20190703-wsa-dos · High · Published · Updated

A vulnerability in the HTTPS decryption feature of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient validation of Secure Sockets Layer (SSL) server certificates. An attacker could exploit this vulnerability by installing a malformed certificate in a web server and sending a request to it through the Cisco WSA. A successful exploit could allow the attacker to cause an unexpected restart of the proxy process on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-wsa-dos

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability. It is possible to mitigate the impact of this vulnerability by bypassing decryption for web servers that are hosting malformed certificates that exploit this vulnerability. For details about how to configure the bypass, refer to AsyncOS User Guide https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-7/user_guide/b_WSA_UserGuide_11_7/b_WSA_UserGuide_11_7_appendix_010111.html#task_1316480 .

CVEsCVE-2019-1886
Cisco Bug IDsCSCvo33747
CVSS ScoreBase 8.6
Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco Web Security Appliance (WSA), Cisco Secure Web Appliance

Related Products

Product CVE Evidence
Cisco Web Security Appliance (WSA) CVE-2019-1886 Cisco OpenVuln
Cisco Secure Web Appliance CVE-2019-1886 Cisco OpenVuln