Rapid7 researchers also warn only a very small percentage of users have applied updates.
Cisco has more than 300,000 customers using its security products and more than 1 million ASA devices are deployed around the world.
Rapid7 said the overarching point of the research they’ve conducted on Cisco highlights the risk of a malicious actor using ASA to hide or embed malicious code to gain further access into a targeted network. Essentially, ASA can be treated as a “Trojan horse” to launch attacks.
“We’ve demonstrated that a man-in-the-middle or evil endpoint can still execute arbitrary code by attacking ASDM,” Jake Baines, lead security researcher at Rapid7, said via email. “Although we’ve shared this information with Cisco, it appears they intend to leave this unaddressed to support backwards compatibility with old versions of ASDM.”
Baines said Rapid7 has released some YARA rules to help users determine if they’ve installed malicious software.
Cisco said it released fixed software for all of the vulnerabilities previously disclosed by Rapid7 researchers. A Cisco spokesperson said CVE-2021-1985 is fixed in the Cisco Adaptive Security Device Manager on the device running Cisco Adaptive Security Appliance (ASA) software and the Cisco ASDM-IDM launcher on the user’s local machine are both updated.
“A click-through bypass window only presents itself if a user connects to a device running an out-of-date version of Cisco ASDM using a local machine that runs the latest Cisco ASDM-IDM Launcher update,” the Cisco spokesperson said, via email.
The Cisco spokesperson added that some customers may not have upgraded to a version of ASDM that fixes CVE-2021-1985.
“Cisco has a robust process in place to inform its customers about security vulnerabilities in our products and how to mitigate them,” the spokesperson said. “Please refer to the specific security advisories for the latest information.”
Get the free daily newsletter read by industry experts
The latest incident at Marriott is relatively minor compared to major breaches in late 2018 and early 2020, but it signals a pattern of neglect.
Companies trying to fill cybersecurity roles need to stop looking for unicorns and expand their search to qualified, but often overlooked, job candidates.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Share your announcement ➔
The latest incident at Marriott is relatively minor compared to major breaches in late 2018 and early 2020, but it signals a pattern of neglect.
Companies trying to fill cybersecurity roles need to stop looking for unicorns and expand their search to qualified, but often overlooked, job candidates.
The free newsletter covering the top industry headlines