![]() The issue was originally reported by Malcolm Lashley and was disclosed without a fix by Cisco in July 2021. Cisco indicated this was a duplicate issue, although they updated CVE-2022-20651’s affected versions to include the version Rapid7 reported and issued a new release of ASDM (7.17.1.155) in June.Ĭisco ASDM client is affected by an unauthenticated remote code execution vulnerability. The Cisco ASDM client does not verify the server’s SSL certificate, which makes it vulnerable to man-in-the-middle (MITM) attacks.Ĭisco ASDM client sometimes logs credentials to a local log file. ![]() A malicious ASDM package can be installed on a Cisco ASA resulting in arbitrary code execution on any client system that connects to the ASA via ASDM. DescriptionĬisco ASDM binary packages are not signed. The following table lists the vulnerabilities and the last current status that we were able to verify ourselves.įor information on vulnerability checks in InsightVM and Nexpose, please see the Rapid7 customers section at the end of this blog. ![]() Rapid7 and Cisco continued discussing impact and resolution of the issues through August 2022. Rapid7 initially reported the issues to Cisco in separate disclosures in February and March 2022. Rapid7 discovered vulnerabilities and “non-security” issues affecting Cisco Adaptive Security Software (ASA), Adaptive Security Device Manager (ASDM), and FirePOWER Services Software for ASA.
0 Comments
Leave a Reply. |