CVE-2022-20828
published 2022-06-24CVE-2022-20828: A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote…
PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
39.86%
98.4th percentile
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the ASA FirePOWER module that is hosted by that Cisco ASA.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | asa_firepower | < 6.2.3.19 | 6.2.3.19 |
| cisco | asa_firepower | >= 6.3.0 < 6.4.0.15 | 6.4.0.15 |
| cisco | asa_firepower | >= 6.5.0 < 6.6.7 | 6.6.7 |
| cisco | asa_firepower | >= 6.7.0 < 7.0.2.1 | 7.0.2.1 |
| cisco | cisco_firepower_services_software_for_asa | — | — |
| cisco | firepower | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cisco_asax_sfr_rce.rb↗
- →Exploit is delivered via crafted HTTPS request to the ASDM web management interface of the Cisco ASA hosting the FirePOWER module ↗
- →Successful exploitation results in command execution as root user inside the SFR (FirePOWER) Linux virtual machine; monitor for unexpected root-level process spawning from the SFR module ↗
- →Attack bypasses the lockdown-sensor command restriction, making the SFR virtual machine's bash shell available; alert on bash shell access from the SFR module when lockdown-sensor is configured ↗
- →Metasploit module cisco_asax_sfr_rce targets this CVE; presence of this module in use against ASA devices is a strong indicator of exploitation attempt ↗
- →Track Cisco bug ID CSCwb32418 in ASA/FirePOWER logs and TAC cases as a reference identifier for this vulnerability ↗
- ·Vulnerability affects all Cisco ASA that support the ASA FirePOWER module; versions 6.2.2 and earlier, 6.3.x, 6.5.x, and 6.7.x will receive NO patch and remain permanently vulnerable ↗
- ·Patched ASA FirePOWER module versions are 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.2; ensure upgrade to these versions or later to remediate ↗
- ·Exploitation requires administrative credentials to the Cisco ASA (ASDM); the attack surface is limited to authenticated admins but the impact is full root RCE on the SFR module ↗
- ·Affected platforms include at minimum Cisco ASA-X with FirePOWER Services and Cisco ISA 3000 ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_cisco6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rhf7-g27p-vr96: A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, rem
ghsa_unreviewed·2022-06-25
CVE-2022-20828 [HIGH] GHSA-rhf7-g27p-vr96: A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, rem
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the
Cisco
Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability
vendor_cisco·2022-06-22·CVSS 6.5
CVE-2022-20828 [MEDIUM] CWE-236 Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability
Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user.
This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module.
Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative acc
Cisco
Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability
vendor_cisco·CVSS 3.1
CVE-2022-20828 Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability
CVE-2022-20828: Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has admi
No detection rules found.
http://packetstormsecurity.com/files/168256/Cisco-ASA-X-With-FirePOWER-Services-Authenticated-Command-Injection.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdGhttps://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/http://packetstormsecurity.com/files/168256/Cisco-ASA-X-With-FirePOWER-Services-Authenticated-Command-Injection.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdGhttps://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/
2022-06-24
Published