Headline
CVE-2022-20866: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software RSA Private Key Leak Vulnerability
A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key. This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key. The following conditions may be observed on an affected device: This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key. The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise section for more information on the detection of this type of RSA key. The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.
This vulnerability affects the following Cisco products, which perform hardware-based cryptographic functions, if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software:
- ASA 5506-X with FirePOWER Services
- ASA 5506H-X with FirePOWER Services
- ASA 5506W-X with FirePOWER Services
- ASA 5508-X with FirePOWER Services
- ASA 5516-X with FirePOWER Services
- Firepower 1000 Series Next-Generation Firewall
- Firepower 2100 Series Security Appliances
- Firepower 4100 Series Security Appliances
- Firepower 9300 Series Security Appliances
- Secure Firewall 3100
Additional information:
This vulnerability affects only Cisco ASA Software releases 9.16.1 and later and Cisco FTD Software releases 7.0.0 and later; all earlier software releases are not affected. If a customer is running Cisco ASA Software Release 9.15 or earlier or Cisco FTD Software Release 6.7 or earlier, the device is not considered vulnerable as long as none of the RSA keys present on the device were generated by a vulnerable software release.
This vulnerability applies to RSA keys only. Elliptic Curve Digital Signature Algorithm (ECDSA) keys and Edwards-curve Digital Signature Algorithm (EdDSA) keys are not vulnerable.
This vulnerability applies to all RSA keys that are stored in memory or flash on a vulnerable software release, which means an RSA key could become malformed or susceptible to the RSA private key leak during the following actions:
- When generating a new RSA key on a vulnerable software release
- When a good RSA key is upgraded from an earlier, non-vulnerable software release to a vulnerable software release
- When importing the RSA key on a vulnerable software release
Thus, any RSA key on a vulnerable software release, regardless of where it was originally generated, could be malformed (non-working but vulnerable to the RSA private key leak) or susceptible (valid but vulnerable to the RSA private key leak). If the RSA key was configured for use at any time, then it is possible the RSA private key has been leaked to malicious actors.
Vulnerable Configurations
If an RSA key is flagged by the Cisco off-box detection script or any of the conditions noted in the Indicators of Compromise section of this advisory, Cisco recommends that the RSA key be replaced and any certificates that use this RSA key pair be revoked and replaced. The following Cisco ASA and FTD Software features are known to be used with a configured RSA key; however, any flagged RSA key should be replaced on the device.
ASA Software
In the following table, the left column lists the Cisco ASA Software features that are potentially vulnerable if a malformed or susceptible RSA key is associated with that feature’s configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.
Cisco ASA Software Feature
Possible Vulnerable Configuration
Adaptive Security Device Manager (ASDM)1
http server enable
http
AnyConnect SSL VPN
webvpn
enable
Cisco Security Manager (CSM)1
http server enable
http
Clientless SSL VPN (WebVPN)2
webvpn
enable
Internet Key Exchange Version 1 (IKEv1) VPN (remote access and LAN-to-LAN) using certificate-based authentication
crypto ikev1 enable
crypto ikev1 policy
authentication rsa-sig
tunnel-group ipsec-attributes
trust-point
Internet Key Exchange Version 2 (IKEv2) VPN (remote access and LAN-to-LAN) using certificate-based authentication
crypto ikev2 enable
tunnel-group ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate
Proxy Bypass
webvpn
proxy-bypass
TLS Proxy
tls-proxy
REST API1
rest-api image disk0:/
rest-api agent
SSH Access3
ssh
1. ASDM, CSM, and REST API services are accessible only from an IP address in the configured http command range.
2. Clientless SSL VPN is no longer supported in Cisco ASA Software releases 9.17(1) and later.
3. SSH service is accessible only from an IP address in the configured ssh command range.
FTD Software
In the following table, the left column lists the Cisco FTD Software features that are potentially affected if a malformed or susceptible RSA key is associated with that feature’s configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.
Cisco FTD Feature
Possible Vulnerable Configuration
AnyConnect SSL VPN1,2
webvpn
enable
Clientless SSL VPN (WebVPN)2
webvpn
enable
IKEv1 VPN (remote access and LAN-to-LAN) using certificate-based authentication1,2
crypto ikev1 enable
crypto ikev1 policy
authentication rsa-sig
tunnel-group ipsec-attributes
trust-point
IKEv2 VPN (remote access and LAN-to-LAN) using certificate-based authentication1,2
crypto ikev2 enable
tunnel-group ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate
1. Remote access VPN features are enabled through Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) Software or through Device > Remote Access VPN in Cisco Firepower Device Manager (FDM).
2. The Clientless SSL VPN feature is not supported as of Cisco FTD Software Release 7.1.0. However, for earlier Cisco FTD Software releases, it can be enabled using FlexConfig.
Determine Whether the RSA Key Is Malformed or Susceptible
To determine whether the RSA key is malformed or susceptible, use the Cisco off-box detection script, which detects malformed or susceptible RSA keys for which the RSA private key could have been leaked. Customers can run this script on a local machine (not on a Cisco ASA or FTD device) without the sensitive key material ever leaving their environment.
Cisco recommends using this script when a device is running a vulnerable release of Cisco ASA or FTD Software and cannot be upgraded to a fixed software release immediately.
To use the script, do the following:
- Export the RSA key(s) that need testing from a potentially affected device.
- Run the script to identify whether any of the RSA keys are either malformed or susceptible to the RSA private key leak.
For the script and associated documentation, see https://github.com/CiscoPSIRT/CVE-2022-20866.
Note: If an RSA key is not currently configured but was previously configured on a vulnerable software release, then the RSA private key could have been leaked. Cisco recommends removing the RSA key and revoking any certificates that use this RSA key pair.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco FMC Software.
Related news
Cisco on Wednesday released patches to contain multiple flaws in its software that could be abused to leak sensitive information on susceptible appliances. The issue, assigned the identifier CVE-2022-20866 (CVSS score: 7.4), has been described as a "logic error" when handling RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)