Cisco on Wednesday launched patches to include a number of flaws in its software program that may very well be abused to leak delicate data on prone home equipment.
The difficulty, assigned the identifier CVE-2022-20866 (CVSS rating: 7.4), has been described as a “logic error” when dealing with RSA keys on gadgets operating Cisco Adaptive Safety Equipment (ASA) Software program and Cisco Firepower Risk Protection (FTD) Software program.
Profitable exploitation of the flaw might enable an attacker to retrieve the RSA personal key via a Lenstra side-channel assault in opposition to the focused machine.
“If an attacker obtains the RSA personal key, they might use the important thing to impersonate a tool that’s operating Cisco ASA Software program or Cisco FTD Software program or to decrypt the machine site visitors,” Cisco warned in an advisory issued on August 10.
Cisco famous that the flaw impacts solely Cisco ASA Software program releases 9.16.1 and later and Cisco FTD Software program releases 7.0.0 and later. Affected merchandise are listed beneath –
- ASA 5506-X with FirePOWER Companies
- ASA 5506H-X with FirePOWER Companies
- ASA 5506W-X with FirePOWER Companies
- ASA 5508-X with FirePOWER Companies
- ASA 5516-X with FirePOWER Companies
- Firepower 1000 Collection Subsequent-Technology Firewall
- Firepower 2100 Collection Safety Home equipment
- Firepower 4100 Collection Safety Home equipment
- Firepower 9300 Collection Safety Home equipment, and
- Safe Firewall 3100
ASA software program variations 9.16.3.19, 9.17.1.13, and 9.18.2, and FTD software program releases 7.0.4, 7.1.0.2-2, and seven.2.0.1 have been launched to handle the safety vulnerability.
Cisco credited Nadia Heninger and George Sullivan of the College of California San Diego and Jackson Sippe and Eric Wustrow of the College of Colorado Boulder for reporting the bug.
Additionally patched by Cisco is a client-side request smuggling flaw within the Clientless SSL VPN (WebVPN) part of Cisco Adaptive Safety Equipment (ASA) Software program that would allow an unauthenticated, distant attacker to conduct browser-based assaults, resembling cross-site scripting, in opposition to the sufferer.
The corporate stated the weak point, CVE-2022-20713 (CVSS rating: 4.3), impression Cisco gadgets operating a launch of Cisco ASA Software program sooner than launch 9.17(1) and have the Clientless SSL VPN characteristic turned on.
Whereas there are not any workarounds to remediate the flaw, affected customers can disable the Clientless SSL VPN characteristic, though Cisco warns doing so “might negatively impression the performance or efficiency” of the community.
The event comes as cybersecurity agency Rapid7 disclosed particulars of 10 bugs present in ASA, Adaptive Safety System Supervisor (ASDM), and FirePOWER Companies Software program for ASA, seven of which have since been addressed by Cisco.
These embrace CVE-2022-20829 (CVSS rating: 9.1), CVE-2022-20651 (CVSS rating: 5.5), CVE-2021-1585 (CVSS rating: 7.5), CVE-2022-20828 (CVSS rating: 6.5), and three different flaws that haven’t been assigned a CVE identifier.
