Threat researchers at Rapid7 have disclosed 10 separate security issues in Cisco firewall products that could leave hundreds of thousands of organisations all over the world exposed to potentially serious supply chain cyber attacks and warned that not all of them have been properly patched.
The vulnerabilities impact Cisco Adaptive Security Software (ASA) and ASA-X enterprise-grade firewalls, as well as the Adaptive Security Device Manager (ASDM) graphical user interface for remote administration of ASA-based appliances, and its FirePower Services Software, which specifically supports the installation of the FirePower module on Cisco ASA 5500-X with FirePower Services.
They were discovered by Rapid7 lead security researcher Jake Baines, who disclosed them to Cisco in February and March of 2022, and has been working extensively with the networking kit supplier since then. They were formally demonstrated today (11 August) at Black Hat USA, and will be shown again at the following DEF CON conference on 13 August. At the time of writing, only four of the issues have been patched, and only four have been assigned common vulnerability and exposure (CVE) designations.
“Cisco does not consider the complete list of exploitable features to be vulnerabilities,” said Baines in a summary statement accompanying his disclosure, “as much of the exploitation happens on the virtual machine in the ASA.
“Despite this, attackers can still gain access to corporate networks, should they remain unpatched. Rapid7 urges organisations that use Cisco ASA to isolate administrative access as much as possible,” he said.
The three arguably most critical vulnerabilities are as follows:
- CVE-2022-20829 in Cisco ASDM. This vulnerability exists because the ASDM binary package lacks a cryptographic signature to prove it is authentic, so a malicious ASDM package installed on a Cisco ASA could lead to arbitrary code execution on any client connected to it. This is particularly impactful because the ADSM package is distributable. This means it could be installed via a supply chain attack, a malicious insider, or simply left available for free on the public internet for admins to find themselves. It has not been patched.
- CVE-2021-1585. This vulnerability lets a man-in-the-middle or malicious endpoint execute arbitrary Java code on an ASDM admin’s system using the launcher. Cisco disclosed it in July 2021, but did not patch it until the June 2022 release of ASDM 18.104.22.168. However, Baines has shown the exploit still works against this version.
- CVE-2022-20828. This is a remote, authenticated vulnerability that lets a threat actor achieve root access on ASA-X with FirePower Services when the FirePower module is installed. Because the FirePower module is fully-networked and is capable of accessing both outside and inside the ASA, it is very useful to an attacker to hide or stage their attacks – as a result, exposing ASDM to the public internet could be very dangerous for ASAs using this module, and furthermore, while it requires credentials to successfully execute, ASDM’s default authentication scheme discloses credentials to active man-in-the-middle attackers. Fortunately, it has been fixed in most maintained versions.
One of the other less impactful issues, a credential logging flaw in the ASDM client, has been assigned CVE-2022-20651. For the reasons outlined by Baines, the others have not. Full details of these are available from Rapid7.
Baines said users of the affected products needed to understand that firewalls, which are supposed to be a vital element of keeping threat actors off networks, can be easily bypassed.
He added that many users were clearly not updating their Cisco firewalls appropriately, claiming that a 15 June scan for ASDM web portals found that less than 0.5% of internet-facing appliances had upgraded to the most recent ASDM 7.18.1 release, with the most popular version in the wild found to be 7.8.2, which has been around for five years now.