Cisco this week announced the release of patches for a high-severity vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated attacker to leak an RSA private key.
The ASA software is the core operating system of Cisco’s ASA security devices, which provide protection to data centers and corporate networks, while the FTD software delivers next-generation firewall services.
Tracked as CVE-2022-20866, the vulnerability exists because of “a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography,” Cisco notes in its advisory.
A threat actor using a Lenstra side-channel attack against a vulnerable device could exploit the security bug to retrieve the RSA private key.
“This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key,” Cisco explains.
The tech company also notes that a valid RSA key may have specific characteristics making it vulnerable to the leak, or may be malformed and invalid, being created by a vulnerable software release that created an invalid RSA signature – leading to failed verification.
In either case, an attacker may use the obtained RSA private key to impersonate a device running ASA or FTD software, or to decrypt the device traffic.
The vulnerability, Cisco explains, impacts the following ASA devices with FirePOWER services: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, and ASA 5516-X, as well as the Firepower 1000 series next-gen firewalls, the Firepower 2100, 4100, and 9300 series security appliances, and the Secure Firewall 3100 products.
Only ASA software releases 9.16.1 and later and FTD software releases 7.0.0 and later are impacted by this vulnerability. ASA software releases 188.8.131.52, 184.108.40.206, and 9.18.2, and FTD software releases 7.0.4, 220.127.116.11-2, and 18.104.22.168 address the security flaw.
“As the result of this vulnerability, Cisco ASA or FTD device administrators may need to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys. This is because it is possible the RSA private key has been leaked to a malicious actor,” Cisco says.
The tech company also notes that information on this vulnerability has already been made public, but that it is not aware of any exploitation attempts.
On Wednesday, Cisco also announced patches for a request smuggling vulnerability in the Clientless SSL VPN (WebVPN) component of ASA software, which could allow an unauthenticated, remote attacker to launch attacks from the browser, by tricking the victim into accessing a malicious website.
Cisco deprecated support for the vulnerable component in ASA software release 9.17(1) and encourages customers to upgrade to a non-vulnerable release. As a possible workaround, customers could disable the Clientless SSL VPN feature, which could impact functionality or performance.
Tracked as CVE-2022-20713, the vulnerability is considered ‘medium severity’, but proof-of-concept exploit code targeting the bug is already available publicly.
In coordination with a Rapid7 talk at the Black Hat 2022 conference in Las Vegas, Cisco also updated a series of previously published advisories detailing high- and medium-severity vulnerabilities in ASA software, Adaptive Security Device Manager (ASDM), and FTD software.
Some of these vulnerabilities – such as CVE-2022-20651, CVE-2022-20828, and others – have already been addressed, but others have yet to be properly fixed, or they have yet to receive a patch at all.
Rapid7 has published a blog post detailing its findings. The cybersecurity firm has identified 10 issues, but it has not reached a consensus with Cisco regarding the impact and resolution of some flaws.