- Cisco announced that the company fixed multiple vulnerabilities affecting its Adaptive Security Appliance Software and Firepower Defense Software.
- The vulnerabilities could allow attackers to execute arbitrary code, steal RSA private key, or cause a denial of service by restarting the device.
- There is currently no known workaround for the vulnerabilities and no incidents show that the vulnerabilities are being attacked.
Cisco announced that fixes for various vulnerabilities affecting its Adaptive Security Appliance Software and Firepower Defense Software are now patched and urges users to apply the patches as soon as possible. Some of those vulnerabilities have high severity CVSS scores. Two vulnerabilities, CVE-2022-20829, CVE-2022-20866, and CVE-2022-20715 have CVSS scores of 9.1, 7.4, and 8.6 respectively.
Arbitrary code execution and more
One of the vulnerabilities, CVE-2022-20829, is found in the packaging of Cisco Adaptive Security Device Manager images. Validation of the images by Adaptive Security Appliance Software can allow authenticated remote attackers to upload ASDM images containing malicious codes. The attacker should have administrative privileges to exploit the vulnerability. It is caused by the insufficient validation of the authenticity. The vulnerability affects:
- The device was running a Cisco ASA Software release earlier than Release 18.104.22.168, earlier than Release 22.214.171.124, or earlier than Release 9.18.2.
- The device was configured with a Cisco ASDM release earlier than Release 126.96.36.199.
- The Cisco ASDM image was using a Cisco ASDM-IDM Launcher release earlier than Release 1.9(5).
- The device was configured for HTTPS management access.
There are no known workarounds for the vulnerability and is fixed in Cisco ASA versions 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 9.18.2, ASDM version 126.96.36.199.
RSA private key leak vulnerability, tracked as CVE-2022-2086, is caused by a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. It can be exploited with a Lenstra side-channel attack and allows attackers to retrieve the RSA private key. Cisco stated that this vulnerability applies to approximately 5 percent of the RSA keys on a vulnerable device. It affects Cisco products that are performing hardware-based cryptographic functions if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software:
- ASA 5506-X with FirePOWER Services
- ASA 5506H-X with FirePOWER Services
- ASA 5506W-X with FirePOWER Services
- ASA 5508-X with FirePOWER Services
- ASA 5516-X with FirePOWER Services
- Firepower 1000 Series Next-Generation Firewall
- Firepower 2100 Series Security Appliances
- Firepower 4100 Series Security Appliances
- Firepower 9300 Series Security Appliances
- Secure Firewall 3100
The vulnerability is fixed in ASA Software versions 188.8.131.52, 184.108.40.206, and 9.18.2 and FTD Software versions 7.0.4, Cisco_FTD_Hotfix_P-220.127.116.11-2.sh.REL.tar, Cisco_FTD_SSP_FP1K_Hotfix_P-18.104.22.168-2.sh.REL.tar, Cisco_FTD_SSP_FP2K_Hotfix_P-22.214.171.124-2.sh.REL.tar, Cisco_FTD_SSP_Hotfix_P-126.96.36.199-2.sh.REL.tar, Cisco_FTD_SSP_FP3K_Hotfix_Q-188.8.131.52-2.sh.REL.tar, and 184.108.40.206.
The other high-severity vulnerability, CVE-2022-20715, is found in the remote access SSL VPN features of Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software. It allows a remote attacker to cause a denial of service. It is caused by improper validation of errors that are logged as a result of client connections that are made using remote access VPN. It can be exploited by sending crafted requests, causing the device to restart. It affects Cisco products that run vulnerable releases of Cisco ASA Software or FTD Software and have a vulnerable AnyConnect or WebVPN configuration.
Cisco also confirmed that the company suffered a data breach recently. The investigation showed that employees’ credentials were compromised. The alleged files, 2.75 GB of stolen data, are published online by a group named Yanluowang.