Researchers say Cisco firewall software remains vulnerable to attack despite patch

  • Researchers from Rapid7 claim malicious actors can still exploit a vulnerability in Cisco firewall software using man-in-the-middle attacks because a patch issued by the company is not working as promised. A large percentage of customers have failed to implement other recent security updates, Rapid7 said. 
  • Earlier this month, in a presentation at Black Hat USA, Rapid7 researchers reported multiple vulnerabilities in Cisco Adaptive Security Software, ASDM and Firepower Services Software for ASA, which were left unpatched for months. Cisco told Rapid7 researchers that it had resolved outstanding issues with CVE-2021-1585 and CVE-2022-20829. 
  • Rapid7 researchers confirmed that CVE-2022-20829 was successfully resolved. However, CVE-2021-1585 can still be exploited by attackersclicking through a pop-up window, Rapid7 said. Researchers also say very few users are deploying the patches that work, leaving a large number of users still vulnerable to attack. 

Cisco has more than 300,000 customers using its security products and more than 1 million ASA devices are deployed around the world. 

Rapid7 said the overarching point of the research they’ve conducted on Cisco highlights the risk of a malicious actor using ASA to hide or embed malicious code to gain further access into a targeted network. Essentially, ASA can be treated as a “Trojan horse” to launch attacks. 

“We’ve demonstrated that a man-in-the-middle or evil endpoint can still execute arbitrary code by attacking ASDM,” Jake Baines, lead security researcher at Rapid7, said via email. “Although we’ve shared this information with Cisco, it appears they intend to leave this unaddressed to support backwards compatibility with old versions of ASDM.”

Baines said Rapid7 has released some YARA rules to help users determine if they’ve installed malicious software. 

Cisco said it released fixed software for all of the vulnerabilities previously disclosed by Rapid7 researchers. A Cisco spokesperson said CVE-2021-1985 is fixed in the Cisco Adaptive Security Device Manager on the device running Cisco Adaptive Security Appliance (ASA) software and the Cisco ASDM-IDM launcher on the user’s local machine are both updated. 

“A click-through bypass window only presents itself if a user connects to a device running an out-of-date version of Cisco ASDM using a local machine that runs the latest Cisco ASDM-IDM Launcher update,” the Cisco spokesperson said, via email. 

The Cisco spokesperson added that some customers may not have upgraded to a version of ASDM that fixes CVE-2021-1985. 

“Cisco has a robust process in place to inform its customers about security vulnerabilities in our products and how to mitigate them,” the spokesperson said. “Please refer to the specific security advisories for the latest information.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s