Home / About / Threat Intelligence / Vulnerabilities in Cisco ASA, ASDM and Firepower services software

Overview

At DefCon security conference, researchers from Rapid7 released details of vulnerabilities in a number of Cisco products.

The most critical of these, a remote code execution (RCE) in the ASDM client (CVE-2021-1585) was believed to have been patched already but was still able to be exploited. Cisco has since released another fix.

Additionally, the ASDM client does not verify SSL certificate, making it vulnerable to Machine in the Middle (MitM) attacks.

Another vulnerability, a lack of code signing in the ASDM package manager (CVE-2022-20829) would allow an attacker to install malicious packages.

They also found multiple weaknesses in the Firepower service which would give an attacker control over the device. Cisco has fixed this in most maintained versions, but older vulnerable boot images can be loaded onto a device. Malicious Firepower packages could be used in social engineering attacks.

Impact

An authenticated, remote attacker with administrative access could install malicious ASDM packages, resulting in arbitrary code execution on the client side.

A network based attacker with MitM capabilities could be able to intercept an ASDM user’s credentials or execute code on the client’s machine.

A backdoored FirePower package could be distributed via social engineering or a supply-chain attack and grant an attacker control over a device.

Vulnerability Detection

Rapid 7 has released tools for testing the device security on GitHub along with slides from their DefCon presentation.

Affected Products

ASDM Earlier than:
7.18.1.152

ASA earlier than:
9.18.2
9.17.1.13
9.16.3.19

Containment, Mitigations & Remediations

Cisco has released updates to address most of these vulnerabilities. It is strongly advised customers keep their devices updated with regular patching cycles.

Cisco ASA owners are advised to minimise administrative access where possible to reduce the risk of malicious packages being installed, whether by malicious insiders or social engineering.

Indicators of Compromise

The researchers have released YARA rules that can be used to detect malicious packages and to scan log files for indicators of exploitation.

Threat Landscape

An attacker with administrative access to a networking device would have a lot of options to attack the network, so while these vulnerabilities are concerning, they require some initial work to use effectively.

Mitre Methodologies

  • T1210 – Exploitation of Remote Services
  • T1557 – Adversary-in-the-Middle
  • T1554 – Compromise Client Software Binary

Further Information

Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM and Firepower Services Software

Cisco ASDM IDM Launcher Vulnerabilities CVE-2021-1585

Cisco Security Advisories