Cisco releases bug advisories affecting more than 1 million security devices


Cisco on Thursday released three advisories on vulnerabilities discovered by cybersecurity firm Rapid7 in its Adaptive Security Software (ASA) and ASA-X systems. More than a million Cisco ASA devices are deployed worldwide and are designed to support VPN, IPS, and many other features.

In a report published on Thursday, Rapid7 said it had discovered 10 different vulnerabilities affecting Cisco ASA, Adaptive Security Device Manager (ASDM) and FirePOWER Services Software for ASA.

Of the ten, Rapid7 said six of the issues have not yet been patched. Cisco told The Record that it is publishing three advisory notes and three software bug release notes for the issues reported to the company in February and March.

Rapid7’s lead security researcher, Jake Baines, discovered the issues and said the three most critical concerns revolve around CVE-2022-20829, CVE-2021-1585, and CVE-2022-20828.

CVE-2022-20829 – with a CVSS score of 9.1 – relates to Cisco’s ASDM, a graphical user interface for remote management of appliances using ASA. According to Rapid7, a malicious ASDM package can be installed on a Cisco ASA, allowing arbitrary code to run on any system connected to the ASA via ASDM.

“The value of this vulnerability is high because the ASDM package is redistributable,” Rapid7 said in a report. “A malicious ASDM package can be installed on an ASA in a supply chain attack, installed by an insider or a third party/administrator, or simply made available “for free” on the internet for administrators to discover for themselves.”

Cisco said in the advisory that CVE-2022-20829 was patched and that they have no evidence of exploitation, but Rapid7 disagreed in its report, claiming the bug hasn’t been fixed.

The report also highlights CVE-2021-1585, a bug that Cisco disclosed without a patch in July 2021. The company eventually fixed the issue in a June 2022 update, but Rapid7 says it was able to show the exploit still works against the latest update. Cisco said it had no evidence the vulnerability was exploited.

Rapid7 noted that the type of man-in-the-middle attacks exploiting CVE-2021-1585 are “trivial for well-funded APT [advanced persistent threat], and they often have the network position and motive,” which refers to nation-state-affiliated hacking groups. “This vulnerability has been public and unpatched for over a year,” stated Rapid7.

Cisco has fixed CVE-2022-20828, a vulnerability that allows attackers to gain root access to ASA-X running FirePOWER services.

According to Rapid7, FirePOWER Services software — a software suite that supports installing the FirePOWER module on Cisco ASA 5500-X with FirePOWER Services — would be “a pretty ideal place for an attacker to hide or stage attacks.”

Rapid7 has been in discussions with Cisco about the issues through July 2022 and announced plans to present their research at Thursday’s Black Hat conference, though they acknowledge six of the issues described have not been resolved.

A Cisco spokesman told The Record that the company is tracking the bugs and appreciates Rapid7 for bringing them to light.

Rapid7 acknowledged that Cisco does not consider all uncovered bugs to be “vulnerabilities,” but urged organizations using Cisco ASA to isolate administrative access as much as possible.

Rapid7 said that based on their research, it’s unclear if a patch would be widely deployed if Cisco released one. The company said it scoured the internet for ASDM web portals on June 15 and found that less than 0.5% of internet-connected ASDM had adopted the latest update a week after it was released. The most prevalent version they found was one released in 2017.

“Organizations using Cisco ASA are urged to isolate administrative access as much as possible. This is not limited to simply ‘removing ASDM from the Internet,'” the company said. “We have shown a few ways that malicious packets can reasonably end up on an ASA, and none of these mechanisms have been patched. It is important to isolate administrative access from potentially untrusted users.”

Cisco did not respond to requests for clarification as to why it considered some of the issues to be vulnerabilities and not others.

Jonathan has been working as a journalist worldwide since 2014. Before moving back to New York City, he worked for news agencies in South Africa, Jordan and Cambodia. He previously worked on cyber security at ZDNet and TechRepublic.


About Author

Comments are closed.