Cisco releases advisories for bug affecting more than 1 million security devices

Cisco on Thursday released three advisories for vulnerabilities discovered by cybersecurity firm Rapid7 in its Adaptive Security Software (ASA) and ASA-X systems. More than one million Cisco ASA devices are deployed worldwide and are designed to support VPN, IPS, and many other features.

In a report released Thursday, Rapid7 said it discovered 10 different vulnerabilities affecting Cisco ASA, Adaptive Security Device Manager (ASDM), and FirePOWER Services Software for ASA. 

Of the ten, Rapid7 said six of the issues still have not been patched. Cisco told The Record it is publishing three advisories and three software bug release notes related to the issues, which were reported to the company in February and March.

Rapid7’s Lead Security Researcher, Jake Baines, discovered the issues and said the three most critical concerns revolve around CVE-2022-20829, CVE-2021-1585 and CVE-2022-20828. 

CVE-2022-20829 — carrying a CVSS score of 9.1 — relates to Cisco's ASDM, a graphical user interface for remote administration of appliances using ASA. According to Rapid7, a malicious ASDM package can be installed on a Cisco ASA, allowing for arbitrary code to be executed on any system connected to the ASA through ASDM.

“The value of this vulnerability is high because the ASDM package is distributable,” Rapid7 said in a report. “A malicious ASDM package might be installed on an ASA in a supply chain attack, installed by an insider or a third-party vendor/administrator, or simply made available ‘for free’ on the internet for administrators to discover themselves.”

Cisco said in the advisory that CVE-2022-20829 has been patched and that they have no evidence of exploitation, but Rapid7 disagreed in its report, claiming the bug has not been addressed. 

The report also highlights CVE-2021-1585, a bug that Cisco disclosed without a patch in July 2021. The company eventually fixed the issue in a June 2022 update, but Rapid7 says it was able to show that the exploit still works against the latest update. Cisco said it has no evidence that the vulnerability has been exploited. 

Rapid7 noted that the kind of man-in-the-middle attacks that exploit CVE-2021-1585 are “trivial for well-funded APT [advanced persistent threat], and they often have the network position and the motive,” referring to hacking groups linked to nation states. “This vulnerability has been public and unpatched for over a year,” Rapid7 explained. 

Cisco did fix CVE-2022-20828, a vulnerability that allows attackers to achieve root access on ASA-X with FirePOWER Services.

Rapid7 said FirePOWER Services Software — a suite of software that supports the installation of the FirePOWER module on Cisco ASA 5500-X with FirePOWER Services — would be a “fairly ideal location for an attacker to hide or stage attacks.”

Rapid7 has been in discussions with Cisco about the issues through July 2022 and announced plans to present their research at the Black Hat conference on Thursday, despite acknowledging that six of the issues described have not been patched. 

A Cisco spokesperson told The Record that the company is tracking the bugs and appreciates Rapid7 for bringing them to light. 

Rapid7 acknowledged that Cisco does not consider all of the bugs they uncovered “vulnerabilities” but urged organizations that use Cisco ASA to isolate administrative access as much as possible.

Rapid7 said that based on their research, it is unclear whether a patch would be widely adopted if Cisco released one. The company says it scanned the internet for ASDM web portals on June 15, finding that less than 0.5% of internet-facing ASDM had adopted the latest update a week after its release. The most prevalent version they found was one released in 2017.

“Organizations that use Cisco ASA are urged to isolate administrative access as much as possible. That is not limited to simply, ‘Remove ASDM from the internet,’" the company said. "We’ve demonstrated a few ways malicious packages could reasonably end up on an ASA and none of those mechanisms have been patched. Isolating administrative access from potentially untrustworthy users is important.”

Cisco did not respond to requests for clarification about why it considered some of the issues vulnerabilities, and others not.