- Researchers from Rapid7 discovered 10 vulnerabilities in Cisco firewall and network security products, however after reporting them to the company in February and March, six of the flaws have not been fully patched.
- The vulnerabilities were found in Cisco Adaptive Security Software (ASA), ASDM and Firepower Services Software for ASA. Cisco has more than 300,000 security customers, and more than 1 million ASA devices are deployed worldwide.
- Most of the vulnerabilities allow attackers to execute arbitrary code, Jake Baines, lead security researcher at Rapid7, said via email. Rapid7 researchers presented the findings this week at Black Hat USA in Las Vegas.
Rapid7 researchers have conducted extensive zero-day research on devices that connect to the internet and previously found vulnerabilities in SonicWall firewalls in January and Zyxel VPN firewalls in April, Barnes said. Malicious actors have frequently targeted these types of devices in the past.
The Cisco ASA has been affected by five vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities list, including some released during the ShadowBrokers’ dump, Extrabacon and EpicBanana, according to Baines.
Some of the vulnerabilities execute code on administrative systems connecting to ASA and some execute code on a virtual machine hosted on the ASA-X with firepower systems, according to Baines.
“The how and why is a bit complicated, but ultimately, a number of these vulnerabilities allow a malicious attacker to install malicious software on the ASA, which turns the system into a Trojan horse,” Baines said.
Cisco said it is aware of the vulnerabilities reported by Rapid7 researchers and is tracking the vulnerabilities with three advisories and three software bug release notes, according to a spokesperson.
“Cisco works in close coordination with the security community to help protect our customers, and we appreciate the collaboration with the security researchers who brought these vulnerabilities to our attention,” the spokesperson said via email.
The vulnerabilities have likely been unpatched for years, Baines said. In particular, customers appear not to be updating their ASDM updates on their ASA. When Rapid7 scanned the internet for ASA using ASDM, the most popular version being used was originally released in 2017, Baines said.
Despite the initial delays, Baines praised the response of Cisco to the research, calling it very professional.
“They put in a significant amount of effort into ensuring they understood all the issues we were conveying to them, and were always willing to listen to our opinions on the issues,” Baines said.