Cisco Fixes Bug Allowing RSA Private Key Theft on ASA, FTD Devices
Cisco has addressed a high severity vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
Tracked as CVE-2022-20866, this security flaw is due to a weakness in handling RSA keys on ASA and FTD devices.
If successfully exploited, it can let unauthenticated attackers retrieve an RSA private key remotely, which they can use to decrypt the device traffic or impersonate Cisco ASA/FTD devices.
“This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography,” Cisco said in a security advisory published on Wednesday.
“An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device.”
RSA keys (stored in memory or flash) on vulnerable software releases could be malformed (non-working but vulnerable to private key theft) or susceptible (valid but vulnerable to theft), regardless of where they were generated.
The vulnerability affects Cisco products running vulnerable Cisco ASA (9.16.1 and later) or Cisco FTD (7.0.0 and later) software which perform hardware-based cryptographic functions:
- ASA 5506-X with FirePOWER Services
- ASA 5506H-X with FirePOWER Services
- ASA 5506W-X with FirePOWER Services
- ASA 5508-X with FirePOWER Services
- ASA 5516-X with FirePOWER Services
- Firepower 1000 Series Next-Generation Firewall
- Firepower 2100 Series Security Appliances
- Firepower 4100 Series Security Appliances
- Firepower 9300 Series Security Appliances
- Secure Firewall 3100
Cisco says that if a key was configured for use at any time, it is also possible that the RSA private key has been leaked to threat actors.
“As the result of this vulnerability, Cisco ASA or FTD device administrators may need to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys,” the company added.
“This is because it is possible the RSA private key has been leaked to a malicious actor.”
Cisco has credited Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting the security flaw.
The networking giant’s Product Security Incident Response Team (PSIRT) says it found no evidence of exploitation in attacks, although information regarding this vulnerability has already been shared publicly.
One week ago, Cisco also addressed critical security bugs affecting Small Business VPN routers that can let unauthenticated attackers execute arbitrary code or commands remotely and trigger a denial of service (DoS) on unpatched devices.