According to the latest figures, the security product customer base for Cisco tops 300,000 customers, and the company can assert that more than 1 million of its ASA firewall devices have been implemented on networks around the world.
Now, security solution provider Rapid7 claims that recent research it has conducted indicates a great risk currently exists that bad actors can exploit vulnerabilities in ASAs to obtain access to networks the devices are meant to protect. Attackers are able to embed or hide malicious code in ASAs, turning them into “Trojan horses” that act as platforms from which attacks can be launched.
In the words of Jake Baines, the lead security researcher at Rapid7, the team has “demonstrated that a man-in-the-middle or evil endpoint can still execute arbitrary code by attacking ASDM.”
Baines went on to say, “Although we’ve shared this information with Cisco, it appears they intend to leave this unaddressed to support backwards compatibility with old versions of ASDM.”
To assist ASA users to determine whether malicious software has been installed, Rapid7 released YARA rules designed to facilitate effective analysis.
This is counter to Cisco’s official statement that it patched the vulnerabilities that were the focus of Rapid7’s research, and a Cisco spokesperson said the related Common Vulnerabilities and Exposures (CVE) item—CVE-2021-1985—was remediated for the Cisco Adaptive Security Device Manager on devices running Cisco Adaptive Security Appliance (ASA) software; Cisco also claims that the Cisco ASDM-IDM launcher that is designed to reside on user workstations has also be patched.
Per the Cisco spokesperson, “A click-through bypass window only presents itself if a user connects to a device running an out-of-date version of Cisco ASDM using a local machine that runs the latest Cisco ASDM-IDM Launcher update.” Cisco acknowledged one risk: that customers may not have upgraded ASDM to a version that is not vulnerability to CVE-2021-1985.
The Cisco spokesperson asserted that “Cisco has a robust process in place to inform its customers about security vulnerabilities in our products and how to mitigate them,” pointing interested parties to “specific security advisories for the latest information.”
Rapid7’s research indicates that it is actually a large percentage of Cisco customers that have not implemented security updates. The security company also continues to assert that malicious actors are yet able to exploit the firewall vulnerability via man-in-the-middle attacks because the patch Cisco released is not working as promised. Rapid7 researchers did confirm the efficacy of the patches in addressing one vulnerability, tracked as CVE-2022-20829, but CVE-2021-1585 is still exploitable if attackers click through a pop-up window.