4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls

  /     /     /  
Publicated : 23/11/2024   Category : security


4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls


More than 1 million instances of firewalls running Cisco Adaptive Security Appliance (ASA) software have four vulnerabilities that undermine its security, a researcher finds.



BLACK HAT USA — Las Vegas — Ciscos enterprise-class firewalls have at least a dozen vulnerabilities — four of which have been assigned CVE identifiers — that could allow attackers to infiltrate networks protected by the devices, a security researcher from vulnerability management firm Rapid7 plans to say in a presentation at the Black Hat USA conference on Aug. 11.
The vulnerabilities affect Ciscos Adaptive Security Appliance (ASA) software, the operating system for the companys enterprise-class firewalls, and its ecosystem. The most significant security weakness (CVE-2022-20829) is that the Adaptive Security Device Manager (ASDM) binary packages are not digitally signed, which — along with the failure to verify a servers SSL certificate — allows an attacker to deploy customized ASA binaries that can then install files onto administrators computers.
Because administrators just expect the ASDM software to come preinstalled on devices, the fact that the binaries are not signed gives attackers a significant supply chain attack, says Jake Baines, lead security researcher at Rapid7.
If someone buys an ASA device on which the attacker has installed their own code, the attackers dont get shell on the ASA device, but when an administrator connects to the device, now [the attackers] have a shell on [the administrators] computer, he says. To me, that is the most dangerous attack.
The
dozen security weaknesses
include issues that impact devices and virtual instances running the ASA software, as well as vulnerabilities in the Firepower next-generation firewall module. More than 1 million ASA devices are deployed worldwide by Ciscos customers, although a Shodan search shows that only about 20% have the management interface exposed to the Internet, Baines says.
As a supply chain attack, the vulnerabilities would give threat actors the ability to compromise a virtual device at the edge of the network — an environment that most security teams would not analyze for security threats, he says.
If you have access to the virtual machine, you have full access inside the network, but more importantly, you can sniff all the traffic going through, including decrypted VPN traffic, Baines says. So, it is a really great place for an attacker to chill out and pivot, but probably just sniff for credentials or monitor the traffic flowing into the network.
Baines discovered the issue when he was investigating the Cisco ASDM to get a level set on how the GUI (graphical user interface) works and pull apart the protocol, he says.
A component installed on administrators systems, known as the ASDM launcher, could be used by attackers to deliver malicious code in Java class files or through the ASDM Web portal. As a result, attackers could create a malicious ASDM package to compromise the administrators system through installers, malicious Web pages, and malicious Java components.
The ASDM vulnerabilities discovered by Rapid7 include a known vulnerability (CVE-2021-1585) that allows an unauthenticated remote code execution (RCE) attack, which Cisco claimed was patched in a recent update, but Baines discovered it remained.
In addition to the ASDM issues, Rapid7 found a handful of security weaknesses in the Firepower next-generation firewall module, including an authenticated remote command injection vulnerability (CVE-2022-20828). The Firepower module is a Linux-based virtual machine hosted on the ASA device, and it runs the Snort scanning software to classify traffic, according to Rapid7s advisory.
The final takeaway for this issue should be that exposing ASDM to the internet could be very dangerous for ASA that use the Firepower module,
the advisory states
. While this might be a credentialed attack, as noted previously, ASDMs default authentication scheme discloses username and passwords to active MitM [machine-in-the-middle] attackers.
Updating can be complex for Cisco ASA appliances, presenting a problem for companies in mitigating the vulnerabilities. The most widely deployed version of the ASA software is five years old, Baines says. Only about half a percent of installations updated their ASA software within seven days to the latest version, he adds.
There is no auto-patch feature, so the most popular version of the appliance operating system is quite old, Baines says.
Cisco has had to deal with security issues in its other products as well. Last week, Cisco
disclosed a trio of vulnerabilities
in its RV series of small business routers. The vulnerabilities could be used together to allow an attacker to execute arbitrary code on Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers without authenticating first.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls