Skip to main content
close search
site logo
Dive Brief

Critical flaws on widely used Cisco firewalls left unpatched for months

Most of the vulnerabilities allow attackers to execute arbitrary code, Rapid7 researchers said.

Published Aug. 12, 2022
David Jones's headshot
Reporter
close up programmer man hand typing on keyboard laptop for register data system or access password at dark operation room , cyber security concept - stock photo
Chainarong Prasertthai via Getty Images

Dive Brief:

  • Researchers from Rapid7 discovered 10 vulnerabilities in Cisco firewall and network security products, however after reporting them to the company in February and March, six of the flaws have not been fully patched. 
  • The vulnerabilities were found in Cisco Adaptive Security Software (ASA), ASDM and Firepower Services Software for ASA. Cisco has more than 300,000 security customers, and more than 1 million ASA devices are deployed worldwide. 
  • Most of the vulnerabilities allow attackers to execute arbitrary code, Jake Baines, lead security researcher at Rapid7, said via email. Rapid7 researchers presented the findings this week at Black Hat USA in Las Vegas.

Dive Insight:

Rapid7 researchers have conducted extensive zero-day research on devices that connect to the internet and previously found vulnerabilities in SonicWall firewalls in January and Zyxel VPN firewalls in April, Barnes said. Malicious actors have frequently targeted these types of devices in the past. 

The Cisco ASA has been affected by five vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities list, including some released during the ShadowBrokers’ dump, Extrabacon and EpicBanana, according to Baines. 

Some of the vulnerabilities execute code on administrative systems connecting to ASA and some execute code on a virtual machine hosted on the ASA-X with firepower systems, according to Baines.

“The how and why is a bit complicated, but ultimately, a number of these vulnerabilities allow a malicious attacker to install malicious software on the ASA, which turns the system into a Trojan horse,” Baines said.

Cisco said it is aware of the vulnerabilities reported by Rapid7 researchers and is tracking the vulnerabilities with three advisories and three software bug release notes, according to a spokesperson. 

“Cisco works in close coordination with the security community to help protect our customers, and we appreciate the collaboration with the security researchers who brought these vulnerabilities to our attention,” the spokesperson said via email. 

The vulnerabilities have likely been unpatched for years, Baines said. In particular, customers appear not to be updating their ASDM updates on their ASA. When Rapid7 scanned the internet for ASA using ASDM, the most popular version being used was originally released in 2017, Baines said. 

Despite the initial delays, Baines praised the response of Cisco to the research, calling it very professional. 

“They put in a significant amount of effort into ensuring they understood all the issues we were conveying to them, and were always willing to listen to our opinions on the issues,” Baines said.

 

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell