Insufficient verification of ASDM images in Cisco ASA
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-20829 |
| CWE-ID | CWE-345 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Cisco Adaptive Security Appliance (ASA) Hardware solutions / Security hardware applicances Cisco Adaptive Security Device Manager (ASDM) Client/Desktop applications / Software for system administration |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Insufficient verification of data authenticity
EUVDB-ID: #VU64596
Risk: Medium
CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-20829
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user compromise the affected system.
The vulnerability exists due to insufficient verification of Cisco Adaptive Security Device Manager (ASDM) images deployed to Cisco Adaptive Security Appliance (ASA) Software. A remote privileged user can upload a malicious ASDM image to a device that is running Cisco ASA Software and compromise the system.
Install updates from vendor's website.
Vulnerable software versionsCisco Adaptive Security Appliance (ASA): 9.0 - 9.18.1
Cisco Adaptive Security Device Manager (ASDM): 7.15.1 - 7.18
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-asdm-sig-NPKvwDjm
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb05264
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb05291
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
