CVE-2015-4458

Vulnerability

The TLS implementation in the Cavium cryptographic-module firmware, as distributed with Cisco Adaptive Security Appliance (ASA) Software version 9.1(5.21) and potentially other products, does not verify the Message Authentication Code (MAC) field. This flaw enables attackers to modify TLS packets without detection. The affected firmware is part of the Cavium cryptographic module, a third-party component integrated into Cisco ASA and possibly other vendors' products. The vulnerability is identified by Cisco Bug ID CSCuu52976 [1].

Exploitation

A man-in-the-middle attacker positioned between the ASA device and the TLS endpoint can exploit this vulnerability by intercepting and altering TLS packets. Since the MAC is not validated, the attacker can modify the content of the encrypted TLS stream without causing a protocol-level error. The attacker does not require authentication or prior access to the device; only network access to the communication path is needed. The attack does not require user interaction and can be executed in real time.

Impact

Successful exploitation allows the attacker to spoof TLS content, effectively compromising the integrity of encrypted communications. This can lead to data manipulation, injection of malicious payloads, or undermining trust in the TLS session. While the confidentiality of the initial encryption is not directly broken, the lack of MAC verification undermines the integrity guarantee of TLS, potentially enabling further attacks such as content injection or session hijacking.

Mitigation

Cisco has not released a fix specific to this issue as it is a third-party (Cavium) vulnerability. Cisco stopped publishing non-Cisco product alerts in 2019 [1]. Affected users should consult Cavium (now part of Marvell) for firmware updates that implement proper MAC verification. As a workaround, network segmentation and strict monitoring of TLS traffic can reduce exposure. No KEV listing was identified for this CVE.