Timing Channel Vulnerability in Cisco FireSIGHT System Software
CVE-2016-1356

3.7LOW

Key Information:

Vendor: Cisco
Status: Firesight System Software
Vendor: CVE Published:; 3 March 2016

Summary

Cisco FireSIGHT System Software version 6.1.0 is susceptible to a timing channel vulnerability that permits remote attackers to deduce valid usernames by observing variations in response times when authenticating. The flaw arises due to the failure to implement a constant-time algorithm for credential verification, making it more feasible for attackers to exploit this weakness. Organizations using this software should review their security measures and apply necessary mitigations to protect against possible enumeration attacks.

References

http://tools.cisco.com/security/center/content/CiscoSecur...

vendor-advisoryx_refsource_CISCO

http://www.securitytracker.com/id/1035189

vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2016
Vulnerability Reserved
Jan 4, 2016