How can we help?
At DefCon security conference, researchers from Rapid7 released details of vulnerabilities in a number of Cisco products.
The most critical of these, a remote code execution (RCE) in the ASDM client (CVE-2021-1585) was believed to have been patched already but was still able to be exploited. Cisco has since released another fix.
Additionally, the ASDM client does not verify SSL certificate, making it vulnerable to Machine in the Middle (MitM) attacks.
Another vulnerability, a lack of code signing in the ASDM package manager (CVE-2022-20829) would allow an attacker to install malicious packages.
They also found multiple weaknesses in the Firepower service which would give an attacker control over the device. Cisco has fixed this in most maintained versions, but older vulnerable boot images can be loaded onto a device. Malicious Firepower packages could be used in social engineering attacks.
An authenticated, remote attacker with administrative access could install malicious ASDM packages, resulting in arbitrary code execution on the client side.
A network based attacker with MitM capabilities could be able to intercept an ASDM user’s credentials or execute code on the client’s machine.
A backdoored FirePower package could be distributed via social engineering or a supply-chain attack and grant an attacker control over a device.
Rapid 7 has released tools for testing the device security on GitHub along with slides from their DefCon presentation.
ASDM Earlier than:
ASA earlier than:
Containment, Mitigations & Remediations
Cisco has released updates to address most of these vulnerabilities. It is strongly advised customers keep their devices updated with regular patching cycles.
Cisco ASA owners are advised to minimise administrative access where possible to reduce the risk of malicious packages being installed, whether by malicious insiders or social engineering.
Indicators of Compromise
The researchers have released YARA rules that can be used to detect malicious packages and to scan log files for indicators of exploitation.
An attacker with administrative access to a networking device would have a lot of options to attack the network, so while these vulnerabilities are concerning, they require some initial work to use effectively.
- T1210 – Exploitation of Remote Services
- T1557 – Adversary-in-the-Middle
- T1554 – Compromise Client Software Binary