Vulnerable updates in Cisco enterprise software

How even high-end solutions for business can have “childish” bugs in their update delivery systems.

Vulnerable Cisco updates

Among the presentations at this August’s Black Hat 2022 conference, few were of practical use to system administrators and security officers. A welcome exception was the report by Rapid7 researcher, Jacob Baines, who spoke in detail about how he’d analyzed Cisco enterprise software and found multiple vulnerabilities therein. Jacob’s findings are available as slides, in a detailed report, and as a set of utilities on GitHub.

Jacob found 10 issues affecting Cisco Adaptive Security Software, Adaptive Security Device Manager, and Firepower Services Software for ASA. These software solutions control a variety of Cisco systems for enterprise users, including hardware firewalls, end-to-end enterprise security solutions, among others. Seven of these issues Cisco recognized as vulnerabilities, while the remaining three — according to the vendor — don’t affect security. At the time of disclosure, two of the seven vulnerabilities had not been closed — despite the fact that Rapid7 informed Cisco back in February/March 2022 (another was supposedly closed later).

What are the vulnerabilities?

Let’s take a look at two of the most noteworthy. The vulnerability CVE-2022-20829 relates to the update delivery method used in Cisco ASA software. The bug is rather trivial: binary update packages are not validated at all during installation; there’s no digital signature verification or anything like that. Rapid7 showed how to modify Cisco ASDM binary packages to execute arbitrary code when processed.

The second vulnerability of note is CVE-2021-1585. It was discovered in late 2020 by researcher Malcolm Lashley. As he found out, when updates are delivered, the certificate needed to establish a secure connection via a TLS handshake is processed incorrectly. This, in turn, allows an attacker to carry out a man-in-the-middle attack against Cisco clients — that is, substitute their own resource for a legitimate update source. This makes it possible to deliver and execute malicious code instead of a patch. This vulnerability has an interesting history: Malcolm Lashley reported it to Cisco in December 2020. In July 2021, Cisco released details of the vulnerability without a patch. In July 2022, the vulnerability was marked as closed on the internal portal for company clients. Rapid7 showed this not to be the case: if there was a patch, it didn’t work.

Nor can the other vulnerabilities be described as trivial. For example, CVE-2022-20828 can be used to attack a system administrator through remote access. The demonstration gives an example of how a potential attacker can gain full access to the system by entering a single command. What’s more, Rapid7 found that FirePOWER boot modules are not scanned at all. This means that if any vulnerabilities are closed in the software, it’s always possible to roll back the boot image to an earlier, unpatched version. Despite the potential for using such a downgrade in real attacks, Cisco did not even consider it a security issue.

Update delivery difficulties

These vulnerabilities show that even in enterprise software bundled with high-end corporate solutions, the update delivery system can leave much to be desired. Not so long ago, we wrote about a conceptually similar problem in consumer software, namely the Zoom web client for Apple machines. The update checking process seemed quite secure: access to the server was through a secure connection, and the update file was digitally signed. But the signature verification procedure allowed anything to be run instead of a legitimate executable file — and with the highest privileges at that. There’s also an example of “malicious updates” being used in real attacks: in 2018, Kaspersky researchers detected this method in the Slingshot APT campaign to compromise Mikrotik routers.

In Cisco’s case, verification of the digital signature of ASDM binary package updates didn’t even have to be bypassed: it simply didn’t exist (a mechanism supposedly appeared in August 2022, but its reliability has yet to be tested). If truth be told, all the attacks proposed by researchers at Black Hat are quite difficult to carry out. But since we could be talking about a large organization with a lot to lose from file-encrypting ransomware or theft of trade secrets, the risk should be taken seriously.

What to do about it

Given the specifics of these vulnerabilities, the Rapid7 researcher’s main recommendation is to limit, to the extent possible, working in administrator mode with full access. And this refers not only to having high privileges while connecting to the infrastructure remotely. There are many examples that show a hack is possible even given maximum offline isolation — through malicious updates or a simple script that exploits a software vulnerability. Careful monitoring of those individuals with full access to the infrastructure, and also limiting actions performed as administrator will help reduce the risk of a successful attack. But the risk won’t be eliminated entirely…