Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Cisco Patches High-Severity Vulnerability Affecting ASA and Firepower Solutions

August 12, 2022

Cisco on Wednesday launched spots to include several defects in its software application that can be abused to leakage delicate details on vulnerable devices.

The concern, designated the identifier CVE-2022-20866 (CVSS rating: 7.4), has actually been called a “reasoning mistake” when managing RSA secrets on gadgets running Cisco Adaptive Protection Device (ASA) Software Program and also Cisco Firepower Danger Protection (FTD) Software Program.

Effective exploitation of the imperfection can enable an aggressor to get the RSA exclusive secret through a Lenstra side-channel attack versus the targeted gadget.

” If an aggressor acquires the RSA exclusive secret, they can make use of the secret to pose a tool that is running Cisco ASA Software application or Cisco FTD Software application or to decrypt the gadget website traffic,” Cisco cautioned in a consultatory released on August 10.


Cisco kept in mind that the imperfection influences just Cisco ASA Software application launches 9.16.1 and also later on and also Cisco FTD Software application launches 7.0.0 and also later on. Influenced items are listed here –

  • ASA 5506-X with FirePOWER Provider
  • ASA 5506H-X with FirePOWER Provider
  • ASA 5506W-X with FirePOWER Provider
  • ASA 5508-X with FirePOWER Provider
  • ASA 5516-X with FirePOWER Provider
  • Firepower 1000 Collection Next-Generation Firewall Program
  • Firepower 2100 Collection Safety Home Appliances
  • Firepower 4100 Collection Safety Home Appliances
  • Firepower 9300 Collection Safety Devices, and also
  • Secure Firewall Program 3100

ASA software application variations,, and also 9.18.2, and also FTD software application launches 7.0.4,, and also have actually been launched to resolve the safety susceptability.

Cisco attributed Nadia Heninger and also George Sullivan of the College of The Golden State San Diego and also Jackson Sippe and also Eric Wustrow of the College of Colorado Rock for reporting the insect.

Likewise covered by Cisco is a client-side demand contraband imperfection in the Clientless SSL VPN (WebVPN) part of Cisco Adaptive Safety Device (ASA) Software application that can allow an unauthenticated, remote assailant to carry out browser-based assaults, such as cross-site scripting, versus the sufferer.


The firm stated the weak point, CVE-2022-20713 (CVSS rating: 4.3), effect Cisco gadgets running a launch of Cisco ASA Software application earlier than launch 9.17( 1) and also have the Clientless SSL VPN attribute switched on.

While there are no workarounds to remediate the imperfection, impacted customers can disable the Clientless SSL VPN attribute, although Cisco advises doing so “might adversely influence the performance or efficiency” of the network.

The advancement comes as cybersecurity company Rapid7 disclosed information of 10 pests discovered in ASA, Adaptive Safety Tool Supervisor (ASDM), and also FirePOWER Providers Software Program for ASA, 7 of which have actually considering that been resolved by Cisco.

These consist of CVE-2022-20829 (CVSS rating: 9.1), CVE-2022-20651 (CVSS rating: 5.5), CVE-2021-1585 (CVSS rating: 7.5), CVE-2022-20828 (CVSS rating: 6.5), and also 3 various other defects that have actually not been designated a CVE identifier.

Posted in SecurityTags:
Write a comment