Cisco ASA-X with FirePOWER Services Authenticated Command Injection

Description

This module exploits an authenticated command injection vulnerability affecting Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's ASDM web server and lands in the FirePower Services SFR module's Linux virtual machine as the root user. Access to the virtual machine allows the attacker to pivot to the inside network, and access the outside network. Also, the SFR virtual machine is running snort on the traffic flowing through the ASA, so the attacker should have access to this diverted traffic as well. This module requires ASDM credentials in order to traverse the ASDM interface. A similar attack can be performed via Cisco CLI (over SSH), although that isn't implemented here. Finally, it's worth noting that this attack bypasses the affects of the `lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be available but this attack makes it available). Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service, and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.

Author(s)

• jbaines-r7

Platform

Linux,Unix

Architectures

cmd, x64