module
Cisco ASA-X with FirePOWER Services Authenticated Command Injection
| Disclosed | Created |
|---|---|
| 2022-06-22 | 2022-09-02 |
Disclosed
2022-06-22
Created
2022-09-02
Description
This module exploits an authenticated command injection vulnerability affecting
Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
ASDM web server and lands in the FirePower Services SFR module's Linux virtual
machine as the root user. Access to the virtual machine allows the attacker to
pivot to the inside network, and access the outside network. Also, the SFR
virtual machine is running snort on the traffic flowing through the ASA, so
the attacker should have access to this diverted traffic as well.
This module requires ASDM credentials in order to traverse the ASDM interface.
A similar attack can be performed via Cisco CLI (over SSH), although that isn't
implemented here.
Finally, it's worth noting that this attack bypasses the affects of the
`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
available but this attack makes it available).
Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will
receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.
Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
ASDM web server and lands in the FirePower Services SFR module's Linux virtual
machine as the root user. Access to the virtual machine allows the attacker to
pivot to the inside network, and access the outside network. Also, the SFR
virtual machine is running snort on the traffic flowing through the ASA, so
the attacker should have access to this diverted traffic as well.
This module requires ASDM credentials in order to traverse the ASDM interface.
A similar attack can be performed via Cisco CLI (over SSH), although that isn't
implemented here.
Finally, it's worth noting that this attack bypasses the affects of the
`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
available but this attack makes it available).
Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will
receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.
Author
jbaines-r7
Platform
Linux,Unix
Architectures
cmd, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.