Published: November 6, 2019
Last Update: November 6, 2019
Multiple ACOS release families use hardcoded X.509 certificates and private keys to support HTTPS management access for ACOS systems. A remote attacker could exploit this vulnerability to conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys from other ACOS installations to decrypt confidential information on ACOS GUI and AXAPI connections.
An ACOS system with an affected release is only exposed to exploitation of this vulnerability if it is configured to use the system’s default, self-signed web certificate and private-key; without having installed (uploaded) valid web credentials to the system. The following vulnerability items are addressed in this document.
||Non-Unique ACOS HTTPS Mgmt X.509 Certificate/Key
Workarounds and Mitigations
Installing unique and trusted web credentials on the ACOS system will overcome exposure to this vulnerability.
For ACOS 2.x and 3.1.x, the X.509 certificate and key for web management services can be imported using the ACOS Web/GUI page at “Select Config Mode > System > Settings > Web Certificate”.
Administrators who subsequently issue the "web-service certificate-reset" ACOS CLI command will effectively restore the non-unique X.509 certificate and key. Accordingly, they will need to repeat their procedure above to ensure that the factory default certificate and key are not being used for the ACOS system.
The following table shares brief descriptions of the vulnerabilities addressed in this document.
ACOS 3.1.x, 2.8.2, 2.7.2, 2.7.1-GR1, and 2.6.1-GR1 can use default, non-unique, X.509 certificate/key pair. This may allow remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys from another installation.
The following table shares brief descriptions for the vulnerabilities addressed in this document.
© Copyright 2019 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.