Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches High-Severity Vulnerability in Security Solutions

Cisco this week announced the release of patches for a high-severity vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated attacker to leak an RSA private key.

Cisco this week announced the release of patches for a high-severity vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated attacker to leak an RSA private key.

The ASA software is the core operating system of Cisco’s ASA security devices, which provide protection to data centers and corporate networks, while the FTD software delivers next-generation firewall services.

Tracked as CVE-2022-20866, the vulnerability exists because of “a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography,” Cisco notes in its advisory.

A threat actor using a Lenstra side-channel attack against a vulnerable device could exploit the security bug to retrieve the RSA private key.

“This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key,” Cisco explains.

The tech company also notes that a valid RSA key may have specific characteristics making it vulnerable to the leak, or may be malformed and invalid, being created by a vulnerable software release that created an invalid RSA signature – leading to failed verification.

In either case, an attacker may use the obtained RSA private key to impersonate a device running ASA or FTD software, or to decrypt the device traffic.

The vulnerability, Cisco explains, impacts the following ASA devices with FirePOWER services: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, and ASA 5516-X, as well as the Firepower 1000 series next-gen firewalls, the Firepower 2100, 4100, and 9300 series security appliances, and the Secure Firewall 3100 products.

Advertisement. Scroll to continue reading.

Only ASA software releases 9.16.1 and later and FTD software releases 7.0.0 and later are impacted by this vulnerability. ASA software releases 9.16.3.19, 9.17.1.13, and 9.18.2, and FTD software releases 7.0.4, 7.1.0.2-2, and 7.2.0.1 address the security flaw.

“As the result of this vulnerability, Cisco ASA or FTD device administrators may need to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys. This is because it is possible the RSA private key has been leaked to a malicious actor,” Cisco says.

The tech company also notes that information on this vulnerability has already been made public, but that it is not aware of any exploitation attempts.

On Wednesday, Cisco also announced patches for a request smuggling vulnerability in the Clientless SSL VPN (WebVPN) component of ASA software, which could allow an unauthenticated, remote attacker to launch attacks from the browser, by tricking the victim into accessing a malicious website.

Cisco deprecated support for the vulnerable component in ASA software release 9.17(1) and encourages customers to upgrade to a non-vulnerable release. As a possible workaround, customers could disable the Clientless SSL VPN feature, which could impact functionality or performance.

Tracked as CVE-2022-20713, the vulnerability is considered ‘medium severity’, but proof-of-concept exploit code targeting the bug is already available publicly.

In coordination with a Rapid7 talk at the Black Hat 2022 conference in Las Vegas, Cisco also updated a series of previously published advisories detailing high- and medium-severity vulnerabilities in ASA software, Adaptive Security Device Manager (ASDM), and FTD software.

Some of these vulnerabilities – such as CVE-2022-20651, CVE-2022-20828, and others – have already been addressed, but others have yet to be properly fixed, or they have yet to receive a patch at all.

Rapid7 has published a blog post detailing its findings. The cybersecurity firm has identified 10 issues, but it has not reached a consensus with Cisco regarding the impact and resolution of some flaws.

Related: Cisco Patches Critical Vulnerability in Email Security Appliance

Related: Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability

Related: Cisco Patches 11 High-Severity Vulnerabilities in Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.