Pierluigi Paganini August 11, 2022

Cisco addressed a high severity flaw, tracked as CVE-2022-20866, affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

Cisco addressed a high severity vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

The flaw, tracked as CVE-2022-20866, impacts the handling of RSA keys on devices running Cisco ASA Software and FTD Software, an unauthenticated, remote attacker can trigger it to retrieve an RSA private key. Once obtained the key, the attackers can impersonate a device that is running ASA/FTD Software or to decrypt the device traffic.

“This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key.” reads the advisory published by the IT giant.

The advisory states that the following conditions may be observed on an affected device:

• This issue will impact approximately 5 percent of the RSA keys on a device that is running a vulnerable release of ASA Software or FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key.
• The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. 
• The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.

The flaw impacts products running vulnerable Cisco ASA (9.16.1 and later) or Cisco FTD (7.0.0 and later) software that perform hardware-based cryptographic functions:

• ASA 5506-X with FirePOWER Services
• ASA 5506H-X with FirePOWER Services
• ASA 5506W-X with FirePOWER Services
• ASA 5508-X with FirePOWER Services
• ASA 5516-X with FirePOWER Services
• Firepower 1000 Series Next-Generation Firewall
• Firepower 2100 Series Security Appliances
• Firepower 4100 Series Security Appliances
• Firepower 9300 Series Security Appliances
• Secure Firewall 3100

Cisco recommends administrators of ASA/FTD devices to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys, because it is possible that the RSA private key has been leaked to a malicious actor.

The flaw was reported by Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder.

Cisco has credited Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting the security flaw.

The Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting this issue.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ASA)

[adrotate banner=”5″]

[adrotate banner=”13″]