Cisco has fixed a high-severity vulnerability affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. CVE-2022-20866 with a CVSS score of 7.4 is related to a flaw in the handling of RSA keys on ASA and FTD devices.

If successfully exploited, the bug could allow an unauthorized attacker to remotely obtain the RSA private key, which they can use to decrypt device traffic or impersonate Cisco ASA/FTD devices.

According to the Cisco Security Bulletin, this vulnerability occurs due to a logical error when an RSA key is stored in memory on a hardware platform that performs hardware cryptography. An attacker could exploit this vulnerability and conduct a side-channel attack using the Lenstra algorithm. RSA keys in vulnerable versions of software may be vulnerable to theft, regardless of where they were generated.

The vulnerability affects Cisco products that use the vulnerable Cisco ASA (9.16.1 and later) or Cisco FTD (7.0.0 and later) software that performs hardware cryptographic functions:

  • ASA 5506-X with FirePOWER Services;
  • ASA 5506H-X with FirePOWER Services;
  • ASA 5506W-X with FirePOWER Services;
  • ASA 5508-X with FirePOWER Services;
  • ASA 5516-X with FirePOWER Services;
  • Firepower 1000 Series Next-Generation Firewall
  • Firepower 2100 Series Security Appliances
  • Firepower 4100 Series Security Appliances
  • Firepower 9300 Series Security Appliances
  • Secure Firewall 3100

If the key was configured to be used at all times, it’s also possible that the private RSA key was shared with an attacker, according to Cisco. Because of this vulnerability, Cisco ASA or FTD device administrators may need to remove corrupted or vulnerable RSA keys and possibly revoke any certificates associated with those keys.

The Cisco Security Incident Response Team (PSIRT) found no evidence of exploitation of the flaw in attacks, although information about this vulnerability has already been published. The Cisco security advisories provide additional information about  vulnerable configurations  and  indicators of compromise  for patched versions of the Cisco ASA or FTD.

Cisco credited Nadia Heninger and George Sullivan of UC San Diego and Jackson Sipp and Eric Wustrow of the University of Colorado Boulder for reporting the security vulnerability.