Rewterz Threat Advisory – Multiple Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2022-20866 CVSS:7.4

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software could allow a remote attacker to obtain sensitive information, caused by a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. By utilize side-channel attack techniques, an attacker could exploit this vulnerability to obtain the RSA private key information, and use this information to launch further attacks against the affected system.

CVE-2022-20713 CVSS:4.3

Cisco Adaptive Security Appliance Software is vulnerable to HTTP request smuggling, caused by improper validation of input passed to the Clientless SSL VPN component. By persuading a victim to visit a specially-crafted Website, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Impact

• Information Disclosure
• Unauthorized Access

Indicators Of Compromise

CVE

• CVE-2022-20866
• CVE-2022-20713

Affected Vendors

Cisco

Affected Products

• Cisco Firepower Threat Defense Software 7.0.0
• Cisco Firepower Threat Defense Software 7.1.0
• Cisco Adaptive Security Appliance Software 9.16
• Cisco Adaptive Security Appliance Software 9.17
• Cisco Adaptive Security Appliance Software 9.18
• Cisco Firepower Threat Defense Software 7.2.0

Remediation

Refer to Cisco Security Advisory for patch, upgrade or suggested workaround information.

Cisco Security Advisory