Getty Images/iStockphoto

Rapid7: Cisco ASA and ASDM flaws went unpatched for months

While several of the vulnerabilities were reported to Cisco in February, they remained unpatched until Thursday when Rapid7's Jake Baines discussed the flaws at Black Hat USA 2022.

LAS VEGAS -- Vulnerabilities discovered in Cisco software may lead to a variety of threats, including supply chain attacks, Rapid7 lead researcher Jake Baines warned during a Black Hat USA 2022 session.

In the session on Thursday, Baines discussed several flaws affecting Cisco Adaptive Security Appliance software, which is the operating system for ASA devices like firewalls. Cisco ASA devices, as he described, typically sit at the edge of a corporate network.

"It's a critical asset because it acts as the gateway to the internet in your corporate network and implements access controls and protections," Baines said during the session.

In addition to the ASA software flaws, Baines also discovered vulnerabilities affecting Adaptive Security Device Manager (ASDM), Cisco ASA-X and Firepower Services software.

Baines reported 10 flaws to Cisco overall during February and March, including six that remained unpatched. Three of the most critical, according to Rapid7, went unfixed until Thursday -- the same day he presented his research at Black Hat USA. While Cisco issued advisories for the bugs, Baines emphasized that he had not been able to test the fixes yet.

The main concern for Baines was that Cisco ASA has a few features that may allow a malicious actor to gain access to a network and use that access to commit further attacks if the vulnerabilities are exploited.

One of the most critical flaws Rapid7 cited and included in a blog post on Thursday, tracked as CVE-2022-20829, was an unsigned ASDM binary package.

If there is no Cisco signature on the binary package, a threat actor could craft their own arbitrary ASA account package, which Baines said is a big deal because it could allow actors to attack an admin account.

Why weren't the binaries signed?

It's unclear why the ASDM packages were not signed. Baines told SearchSecurity that part of the problem for Cisco is that ASDM supports so many different versions of ASA. Additionally, ASA software dates back 15 years. He added that some services, such as ASA-X, are still used around the globe, but the software itself still supports 15-year-old versions of ASA.

After reporting the flaws, Cisco gave Baines a test build of ASDM in June that they modified with a patch. It contained a lot of development work, but he discovered the patch did not work.

Baines said a different researcher presented research in 2015 that showed the Cisco ASA firmware was not signed and could be inserted with code. While Cisco fixed that issue, it didn't address other packages years later, he said.

"From my point of view, they should have known these were issues. They left it unaddressed after all these years," Baines said.

There are some obstacles that make signatures more complicated for ASA. For example, Baines said the way it operates is not the way normal software operates.

"The client that gets installed on an admin system is not checking the signatures that actually do exist on one level," he told SearchSecurity. "I'm not sure Cisco understood that, because the patch they put out attempted to shift the signature checking off of the client, but it didn't really work."

Supply chain attacks

Another concern Baines addressed during the session was a man-in-the-middle attack, which could allow threat actors to monitor and modify the communications between the ASA client and the ASA device itself. In one of the ASDM flaws, which has not been patched, Baines discovered the client was not verifying the server's SSL certificate.

Though exploit does require elevated privileges to install packages on the ASA, Baines said there are several attack vectors to achieve that. For example, attackers could find ways to get the required credentials or get an insider threat.

"My favorite attack vector is the supply chain attack," he said during the session.

For the Black Hat USA session, Baines purchased a test ASA device, and it came preloaded with one of the binaries on it. He told SearchSecurity that there was nothing stopping whoever the previous owner was from uploading a malicious binary. Therefore, when he was using that ASA device, it could have been exploited. Even worse, if done correctly, he would have never known. That's where third-party and supply chain risks come into play.

Baines told SearchSecurity that while his experience with Cisco during the disclosure process was pretty good, it did not necessarily have the desired outcome from his point of view. It was a long timeline with more than 50 messages back and forth, and at the end of the day, their opinions differed on the severity of the flaws.

At press time, three of the flaws Baines reported to Cisco were not assigned CVEs and remained unpatched.

The final takeaway Baines issued was for companies to stop using an ASA with Firepower services. "If you're using the ASDM interface, that's something you should consider not using."

Dig Deeper on Threats and vulnerabilities