CVE-2016-10213

low-risk

Published 2017-02-08

A10 AX1030 and possibly other devices with software before 2.7.2-P8 uses random GCM nonce generations, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging a reused nonce in a session and a "forbidden attack," a similar issue to CVE-2016-0270.

Do I need to act?

0.46% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Advanced Core Operating System

Affected Vendors

A10Networks

References (6)

http://www.securityfocus.com/bid/96163

https://github.com/nonce-disrespect/nonce-disrespect

https://www.a10networks.com/blog/cve-2016-0270-gcm-nonce-vulnerability

http://www.securityfocus.com/bid/96163

https://github.com/nonce-disrespect/nonce-disrespect

https://www.a10networks.com/blog/cve-2016-0270-gcm-nonce-vulnerability

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal