cbcvebase.
CVE-2022-20828
published 2022-06-24

CVE-2022-20828: A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote…

PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
39.86%
98.4th percentile
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the ASA FirePOWER module that is hosted by that Cisco ASA.

Affected

6 ranges
VendorProductVersion rangeFixed in
ciscoasa_firepower< 6.2.3.196.2.3.19
ciscoasa_firepower>= 6.3.0 < 6.4.0.156.4.0.15
ciscoasa_firepower>= 6.5.0 < 6.6.76.6.7
ciscoasa_firepower>= 6.7.0 < 7.0.2.17.0.2.1
ciscocisco_firepower_services_software_for_asa
ciscofirepower

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cisco_asax_sfr_rce.rb
  • Exploit is delivered via crafted HTTPS request to the ASDM web management interface of the Cisco ASA hosting the FirePOWER module
  • Successful exploitation results in command execution as root user inside the SFR (FirePOWER) Linux virtual machine; monitor for unexpected root-level process spawning from the SFR module
  • Attack bypasses the lockdown-sensor command restriction, making the SFR virtual machine's bash shell available; alert on bash shell access from the SFR module when lockdown-sensor is configured
  • Metasploit module cisco_asax_sfr_rce targets this CVE; presence of this module in use against ASA devices is a strong indicator of exploitation attempt
  • Track Cisco bug ID CSCwb32418 in ASA/FirePOWER logs and TAC cases as a reference identifier for this vulnerability
  • ·Vulnerability affects all Cisco ASA that support the ASA FirePOWER module; versions 6.2.2 and earlier, 6.3.x, 6.5.x, and 6.7.x will receive NO patch and remain permanently vulnerable
  • ·Patched ASA FirePOWER module versions are 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.2; ensure upgrade to these versions or later to remediate
  • ·Exploitation requires administrative credentials to the Cisco ASA (ASDM); the attack surface is limited to authenticated admins but the impact is full root RCE on the SFR module
  • ·Affected platforms include at minimum Cisco ASA-X with FirePOWER Services and Cisco ISA 3000

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_cisco6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.