![]() ![]() If truth be told, all the attacks proposed by researchers at Black Hat are quite difficult to carry out. In Cisco’s case, verification of the digital signature of ASDM binary package updates didn’t even have to be bypassed: it simply didn’t exist (a mechanism supposedly appeared in August 2022, but its reliability has yet to be tested). There’s also an example of “malicious updates” being used in real attacks: in 2018, Kaspersky researchers detected this method in the Slingshot APT campaign to compromise Mikrotik routers. But the signature verification procedure allowed anything to be run instead of a legitimate executable file - and with the highest privileges at that. ![]() The update checking process seemed quite secure: access to the server was through a secure connection, and the update file was digitally signed. Not so long ago, we wrote about a conceptually similar problem in consumer software, namely the Zoom web client for Apple machines. These vulnerabilities show that even in enterprise software bundled with high-end corporate solutions, the update delivery system can leave much to be desired. ![]() Despite the potential for using such a downgrade in real attacks, Cisco did not even consider it a security issue. This means that if any vulnerabilities are closed in the software, it’s always possible to roll back the boot image to an earlier, unpatched version. What’s more, Rapid7 found that FirePOWER boot modules are not scanned at all. The demonstration gives an example of how a potential attacker can gain full access to the system by entering a single command. For example, CVE-2022-20828 can be used to attack a system administrator through remote access. Nor can the other vulnerabilities be described as trivial. Rapid7 showed this not to be the case: if there was a patch, it didn’t work. In July 2022, the vulnerability was marked as closed on the internal portal for company clients. In July 2021, Cisco released details of the vulnerability without a patch. This vulnerability has an interesting history: Malcolm Lashley reported it to Cisco in December 2020. This makes it possible to deliver and execute malicious code instead of a patch. This, in turn, allows an attacker to carry out a man-in-the-middle attack against Cisco clients - that is, substitute their own resource for a legitimate update source. As he found out, when updates are delivered, the certificate needed to establish a secure connection via a TLS handshake is processed incorrectly. It was discovered in late 2020 by researcher Malcolm Lashley. ![]() The second vulnerability of note is CVE-2021-1585. Rapid7 showed how to modify Cisco ASDM binary packages to execute arbitrary code when processed. The bug is rather trivial: binary update packages are not validated at all during installation there’s no digital signature verification or anything like that. The vulnerability CVE-2022-20829 relates to the update delivery method used in Cisco ASA software. Let’s take a look at two of the most noteworthy. At the time of disclosure, two of the seven vulnerabilities had not been closed - despite the fact that Rapid7 informed Cisco back in February/March 2022 (another was supposedly closed later). Seven of these issues Cisco recognized as vulnerabilities, while the remaining three - according to the vendor - don’t affect security. These software solutions control a variety of Cisco systems for enterprise users, including hardware firewalls, end-to-end enterprise security solutions, among others. Jacob found 10 issues affecting Cisco Adaptive Security Software, Adaptive Security Device Manager, and Firepower Services Software for ASA. Jacob’s findings are available as slides, in a detailed report, and as a set of utilities on GitHub. A welcome exception was the report by Rapid7 researcher, Jacob Baines, who spoke in detail about how he’d analyzed Cisco enterprise software and found multiple vulnerabilities therein. Among the presentations at this August’s Black Hat 2022 conference, few were of practical use to system administrators and security officers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |