BLACK HAT USA — Las Vegas — Cisco's enterprise-class firewalls have at least a dozen vulnerabilities — four of which have been assigned CVE identifiers — that could allow attackers to infiltrate networks protected by the devices, a security researcher from vulnerability management firm Rapid7 plans to say in a presentation at the Black Hat USA conference on Aug. 11.
The vulnerabilities affect Cisco's Adaptive Security Appliance (ASA) software, the operating system for the company's enterprise-class firewalls, and its ecosystem. The most significant security weakness (CVE-2022-20829) is that the Adaptive Security Device Manager (ASDM) binary packages are not digitally signed, which — along with the failure to verify a server's SSL certificate — allows an attacker to deploy customized ASA binaries that can then install files onto administrators' computers.
Because administrators just expect the ASDM software to come preinstalled on devices, the fact that the binaries are not signed gives attackers a significant supply chain attack, says Jake Baines, lead security researcher at Rapid7.
"If someone buys an ASA device on which the attacker has installed their own code, the attackers don't get shell on the ASA device, but when an administrator connects to the device, now [the attackers] have a shell on [the administrator's] computer," he says. "To me, that is the most dangerous attack."
The dozen security weaknesses include issues that impact devices and virtual instances running the ASA software, as well as vulnerabilities in the Firepower next-generation firewall module. More than 1 million ASA devices are deployed worldwide by Cisco's customers, although a Shodan search shows that only about 20% have the management interface exposed to the Internet, Baines says.
As a supply chain attack, the vulnerabilities would give threat actors the ability to compromise a virtual device at the edge of the network — an environment that most security teams would not analyze for security threats, he says.
"If you have access to the virtual machine, you have full access inside the network, but more importantly, you can sniff all the traffic going through, including decrypted VPN traffic," Baines says. "So, it is a really great place for an attacker to chill out and pivot, but probably just sniff for credentials or monitor the traffic flowing into the network."
Baines discovered the issue when he was investigating the Cisco ASDM to get "a level set on how the GUI (graphical user interface) works" and pull apart the protocol, he says.
A component installed on administrators' systems, known as the ASDM launcher, could be used by attackers to deliver malicious code in Java class files or through the ASDM Web portal. As a result, attackers could create a malicious ASDM package to compromise the administrator's system through installers, malicious Web pages, and malicious Java components.
The ASDM vulnerabilities discovered by Rapid7 include a known vulnerability (CVE-2021-1585) that allows an unauthenticated remote code execution (RCE) attack, which Cisco claimed was patched in a recent update, but Baines discovered it remained.
In addition to the ASDM issues, Rapid7 found a handful of security weaknesses in the Firepower next-generation firewall module, including an authenticated remote command injection vulnerability (CVE-2022-20828). The Firepower module is a Linux-based virtual machine hosted on the ASA device, and it runs the Snort scanning software to classify traffic, according to Rapid7's advisory.
"The final takeaway for this issue should be that exposing ASDM to the internet could be very dangerous for ASA that use the Firepower module," the advisory states. "While this might be a credentialed attack, as noted previously, ASDM's default authentication scheme discloses username and passwords to active MitM [machine-in-the-middle] attackers."
Updating can be complex for Cisco ASA appliances, presenting a problem for companies in mitigating the vulnerabilities. The most widely deployed version of the ASA software is five years old, Baines says. Only about half a percent of installations updated their ASA software within seven days to the latest version, he adds.
"There is no auto-patch feature, so the most popular version of the appliance operating system is quite old," Baines says.
Cisco has had to deal with security issues in its other products as well. Last week, Cisco disclosed a trio of vulnerabilities in its RV series of small business routers. The vulnerabilities could be used together to allow an attacker to execute arbitrary code on Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers without authenticating first.