cisco-sa-asaftd-rsa-key-leak-ms7uefzz
Vulnerability from csaf_cisco
Published
2022-08-10 16:00
Modified
2022-08-10 16:00
Summary
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software RSA Private Key Leak Vulnerability
Notes
Summary
A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key.
This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key.
The following conditions may be observed on an affected device:
This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key.
The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise ["#ic"] section for more information on the detection of this type of RSA key.
The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz"]
Vulnerable Products
This vulnerability affects the following Cisco products, which perform hardware-based cryptographic functions, if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software:
ASA 5506-X with FirePOWER Services
ASA 5506H-X with FirePOWER Services
ASA 5506W-X with FirePOWER Services
ASA 5508-X with FirePOWER Services
ASA 5516-X with FirePOWER Services
Firepower 1000 Series Next-Generation Firewall
Firepower 2100 Series Security Appliances
Firepower 4100 Series Security Appliances
Firepower 9300 Series Security Appliances
Secure Firewall 3100
Additional information:
This vulnerability affects only Cisco ASA Software releases 9.16.1 and later and Cisco FTD Software releases 7.0.0 and later; all earlier software releases are not affected. If a customer is running Cisco ASA Software Release 9.15 or earlier or Cisco FTD Software Release 6.7 or earlier, the device is not considered vulnerable as long as none of the RSA keys present on the device were generated by a vulnerable software release.
This vulnerability applies to RSA keys only. Elliptic Curve Digital Signature Algorithm (ECDSA) keys and Edwards-curve Digital Signature Algorithm (EdDSA) keys are not vulnerable.
This vulnerability applies to all RSA keys that are stored in memory or flash on a vulnerable software release, which means an RSA key could become malformed or susceptible to the RSA private key leak during the following actions:
When generating a new RSA key on a vulnerable software release
When a good RSA key is upgraded from an earlier, non-vulnerable software release to a vulnerable software release
When importing the RSA key on a vulnerable software release
Thus, any RSA key on a vulnerable software release, regardless of where it was originally generated, could be malformed (non-working but vulnerable to the RSA private key leak) or susceptible (valid but vulnerable to the RSA private key leak). If the RSA key was configured for use at any time, then it is possible the RSA private key has been leaked to malicious actors.
Vulnerable Configurations
If an RSA key is flagged by the Cisco off-box detection script or any of the conditions noted in the Indicators of Compromise ["#ic"] section of this advisory, Cisco recommends that the RSA key be replaced and any certificates that use this RSA key pair be revoked and replaced. The following Cisco ASA and FTD Software features are known to be used with a configured RSA key; however, any flagged RSA key should be replaced on the device.
ASA Software
In the following table, the left column lists the Cisco ASA Software features that are potentially vulnerable if a malformed or susceptible RSA key is associated with that feature's configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.
Cisco ASA Software Feature Possible Vulnerable Configuration Adaptive Security Device Manager (ASDM)1
http server enable <port>
http <remote_ip_address> <remote_subnet_mask> <interface_name>
AnyConnect SSL VPN
webvpn
enable <interface_name>
Cisco Security Manager (CSM)1
http server enable <port>
http <remote_ip_address> <remote_subnet_mask> <interface_name>
Clientless SSL VPN (WebVPN)2
webvpn
enable <interface_name>
Internet Key Exchange Version 1 (IKEv1) VPN (remote access and LAN-to-LAN) using certificate-based authentication
crypto ikev1 enable <interface_name>
crypto ikev1 policy <priority>
authentication rsa-sig
tunnel-group <tunnel_group_name> ipsec-attributes
trust-point <trustpoint_name>
Internet Key Exchange Version 2 (IKEv2) VPN (remote access and LAN-to-LAN) using certificate-based authentication
crypto ikev2 enable <interface_name>
tunnel-group <tunnel_group_name> ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate <trustpoint_name>
Proxy Bypass
webvpn
proxy-bypass
TLS Proxy
tls-proxy <name>
REST API1
rest-api image disk0:/<image name>
rest-api agent
SSH Access3
ssh <remote_ip_address> <remote_subnet_mask> <interface_name>
1. ASDM, CSM, and REST API services are accessible only from an IP address in the configured http command range.
2. Clientless SSL VPN is no longer supported in Cisco ASA Software releases 9.17(1) and later.
3. SSH service is accessible only from an IP address in the configured ssh command range.
FTD Software
In the following table, the left column lists the Cisco FTD Software features that are potentially affected if a malformed or susceptible RSA key is associated with that feature's configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.
Cisco FTD Feature Possible Vulnerable Configuration AnyConnect SSL VPN1,2
webvpn
enable <interface_name
Clientless SSL VPN (WebVPN)2
webvpn
enable <interface_name>
IKEv1 VPN (remote access and LAN-to-LAN) using certificate-based authentication1,2
crypto ikev1 enable <interface_name>
crypto ikev1 policy <priority>
authentication rsa-sig
tunnel-group <tunnel_group_name> ipsec-attributes
trust-point <trustpoint_name>
IKEv2 VPN (remote access and LAN-to-LAN) using certificate-based authentication1,2
crypto ikev2 enable <interface_name>
tunnel-group <tunnel_group_name> ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate <trustpoint_name>
1. Remote access VPN features are enabled through Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) Software or through Device > Remote Access VPN in Cisco Firepower Device Manager (FDM).
2. The Clientless SSL VPN feature is not supported as of Cisco FTD Software Release 7.1.0. However, for earlier Cisco FTD Software releases, it can be enabled using FlexConfig. Determine Whether the RSA Key Is Malformed or Susceptible
To determine whether the RSA key is malformed or susceptible, use the Cisco off-box detection script, which detects malformed or susceptible RSA keys for which the RSA private key could have been leaked. Customers can run this script on a local machine (not on a Cisco ASA or FTD device) without the sensitive key material ever leaving their environment.
Cisco recommends using this script when a device is running a vulnerable release of Cisco ASA or FTD Software and cannot be upgraded to a fixed software release immediately.
To use the script, do the following:
Export the RSA key(s) that need testing from a potentially affected device.
Run the script to identify whether any of the RSA keys are either malformed or susceptible to the RSA private key leak.
For the script and associated documentation, see https://github.com/CiscoPSIRT/CVE-2022-20866 ["https://github.com/CiscoPSIRT/CVE-2022-20866"].
Note: If an RSA key is not currently configured but was previously configured on a vulnerable software release, then the RSA private key could have been leaked. Cisco recommends removing the RSA key and revoking any certificates that use this RSA key pair.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco FMC Software.
Details
Lenstra Side-Channel Attack
In 1996, Arjen Lenstra described an attack against Chinese remainder theorem optimization (RSA-CRT). This attack is possible if a fault happens during the computation of a cryptographic signature when using RSA-CRT optimization. An attacker could potentially recover the private key from the signature. This attack is also known as an RSA-CRT key leak. The Lenstra attack is a well-known side-channel attack. It does not attack the RSA algorithm directly but could exploit flaws in the implementation.
For additional information on the attack, see the Memo on RSA signature generation in the presence of faults ["https://infoscience.epfl.ch/record/164524"].
The vulnerability described in this advisory could result in an RSA key for which the Lenstra side-channel attack is successful, potentially allowing the attacker to derive the RSA private key.
Indicators of Compromise
These indicators of compromise are available on Cisco ASA or FTD Software fixed releases only. They are not available on previous software releases.
When an affected device is upgraded to a fixed software release, some or all of these indicators may be present to alert an administrator that the device has an RSA key for which the RSA private key may have been leaked.
How to Detect Malformed or Susceptible RSA Keys When Upgrading to a Fixed Software Release
Critical Syslog Messages
When an affected device is upgraded to a fixed software release, two new syslog messages will alert the administrator if malformed or potentially susceptible RSA keys are detected. These messages mean that the RSA key(s) flagged could have leaked the RSA private key. The new syslog messages are logged at the CRITICAL level and can be viewed by an administrator using the show logging CLI command. The ASA or FTD prefix is specific to the type of device the syslog is being displayed on. The new syslog messages will appear as follows:
%ASA-1-717065: Keypair <name> is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and will be cleared in memory. Please remove this key.
%FTD-1-717065: Keypair <name> is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and will be cleared in memory. Please remove this key.
Syslog messages ASA-1-717065 and FTD-1-717065 indicate that a malformed RSA key was detected that was vulnerable to the RSA private key leak described in this security advisory. The malformed RSA key was disabled and cannot be used. This RSA key was not functional previously and must be replaced. Any certificates using this RSA key pair must also be revoked and replaced.
%ASA-1-717066: Keypair <name> is valid but may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.
%FTD-1-717066: Keypair <name> is valid but may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.
Syslog messages ASA-1-717066 and FTD-1-717066 indicate that although the RSA key is not malformed, it was susceptible to the RSA private key leak described in this security advisory. It is highly recommended that this RSA key be replaced and any certificates using this RSA key pair be revoked and replaced.
Error Counters
When an affected device is upgraded to a fixed software release, several new error counters will indicate if a malformed or susceptible RSA key is detected. To view these counters, use the show counters | grep PKI CLI command. The new error counters appear as follows:
asaftd# show counters | grep PKI
...
PKI RSAKEY_INVAL_VULN 1 Summary
PKI RSAKEY_INVAL_SCRUB 1 Summary
PKI RSAKEY_INVAL_NOT_VULN 1 Summary
PKI RSAKEY_VALID_SHORT 1 Summary
PKI RSAKEY_ANALYSIS_ERROR 1 Summary
PKI RSAKEY_SCRUB_ERROR 1 Summary
The meaning of each new error counter is as follows:
RSAKEY_INVAL_VULN: Invalid vulnerable key detected
RSAKEY_INVAL_SCRUB: Invalid vulnerable key cleared in memory
RSAKEY_INVAL_NOT_VULN: Invalid key, not vulnerable
RSAKEY_VALID_SHORT: Valid key vulnerable in previous affected versions
RSAKEY_ANALYSIS_ERROR: An error occurred during analysis
RSAKEY_SCRUB_ERROR: An error occurred while scrubbing a key
These counters are incremented when a corresponding syslog message is logged and require the affected RSA key to be replaced and any certificates using the RSA key pair to be revoked and replaced.
Device Boot Warnings
After an affected device is upgraded to a fixed software release, one or more of the following console log messages may be observed during the boot sequence if a malformed or susceptible RSA key is detected:
CRITICAL: RSA key <name> is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and has been cleared in memory. Please remove this key. CRITICAL: RSA key <name> may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.
Each of these boot-time warnings will have a corresponding syslog message logged and requires the RSA key to be replaced and any certificates using the RSA key pair to be revoked and replaced.
Debug Menu Commands
After upgrading an affected Cisco ASA or FTD device to a fixed software release, use the new debug command debug menu pki 60 to parse all RSA keys on the device. The command output will display the state of each RSA key to show whether any of them may have been compromised. The Validity column gives the current status of each RSA key. The value INVALID in this column indicates that the RSA private key may have been leaked. An example of output from the debug command is as follows:
asa# debug menu pki 60
Key Name : Validity : Cisco RSA Malformed Key Vulnerability
: : (CVE-2022-20866) exposure status
------------------------ : --------- : -------------------------------------
<Default-RSA-Key> : Valid : No exposure characteristics
test1 : Valid : ** Possible exposure in earlier software versions
test3 : INVALID : No exposure characteristics
test8 : INVALID : ** Key generated by affected version, cleared in memory
tets2 : ERROR : ** Error during analysis
test4 : INVALID : ** Has exposure characteristics
test5 : unknown : Key pair not analyzed
Undetectable Malformed RSA Key
It is not possible to detect a malformed or susceptible RSA key that was used in the past and has since been removed. Some RSA keys may not have been functional due to being malformed, so during normal operations, they might have been removed and regenerated. If there is any concern that a malformed or susceptible RSA key was in use on a device in the past, ensure that any certificates using this RSA key pair have been revoked.
Workarounds
There are no workarounds that address this vulnerability.
Fixed Software
Cisco has released free software updates ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu"] that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html ["https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"]
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
The Cisco Support and Downloads page ["https://www.cisco.com/c/en/us/support/index.html"] on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.
ASA Software
Cisco ASA Software Release First Fixed Release 9.15 and earlier1 Not vulnerable 9.16 9.16.3.19 9.17 9.17.1.13 9.18 9.18.2
1. If a Cisco ASA device was upgraded to a vulnerable release and then downgraded to a non-vulnerable release—for example, upgraded to Release 9.16.1 and then downgraded to Release 9.14.3.18—the RSA keys on the non-vulnerable release could be malformed or susceptible because they were saved on a vulnerable release. If a Cisco ASA device has been upgraded and downgraded in this manner, please ensure that the RSA keys are valid.
FTD Software
Cisco FTD Software Release First Fixed Release 6.7.0 and earlier1 Not vulnerable 7.0.0 7.0.4 7.1.0 Cisco_FTD_Hotfix_P-7.1.0.2-2.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_P-7.1.0.2-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_P-7.1.0.2-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_P-7.1.0.2-2.sh.REL.tar
Cisco_FTD_SSP_FP3K_Hotfix_Q-7.1.0.3-2.sh.REL.tar 7.2.0 7.2.0.1
1. If a Cisco FTD device was upgraded to a vulnerable release and then downgraded to a non-vulnerable release—for example, upgraded to Release 7.0.0 and then downgraded to Release 6.4.0.15—the RSA keys on the non-vulnerable release could be malformed or susceptible because they were saved on a vulnerable release. If a Cisco FTD device has been upgraded and downgraded in this manner, please ensure that the RSA keys are valid.
For instructions on upgrading a Cisco FTD device, see the Cisco Firepower Management Center Upgrade Guide ["https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/getting_started.html"].
Note: See the Indicators of Compromise ["#ic"] section for more information on the detection of RSA keys that may have been compromised when upgrading to a fixed software release.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
Recommendations
As the result of this vulnerability, Cisco ASA or FTD device administrators may need to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys. This is because it is possible the RSA private key has been leaked to a malicious actor. For additional assistance, see the following technical documentation:
Cisco ASA Software
Cisco ASA Series General Operations CLI Configuration Guide - Digital Certificates ["https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/basic-certs.html"]
Configure ASA: SSL Digital Certificate Installation and Renewal ["https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html"]
Cisco FTD Software
Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager - Certificates ["https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-certificates.html"]
Certificate Installation and Renewal on FTD managed by FDM ["https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html"]
Install and Renew Certificates on FTD Managed by FMC ["https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html"]
Customers are advised to contact the Cisco TAC or their contracted maintenance providers if further assistance is needed.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco PSIRT is aware of a public announcement of the vulnerability that is described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
Source
Cisco would like to thank Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting this vulnerability.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting this vulnerability."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key.\r\n\r\nThis vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key.\r\n\r\nThe following conditions may be observed on an affected device:\r\n\r\nThis vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key.\r\nThe RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise [\"#ic\"] section for more information on the detection of this type of RSA key.\r\nThe RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz\"]",
"title": "Summary"
},
{
"category": "general",
"text": "This vulnerability affects the following Cisco products, which perform hardware-based cryptographic functions, if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software:\r\n\r\nASA 5506-X with FirePOWER Services\r\nASA 5506H-X with FirePOWER Services\r\nASA 5506W-X with FirePOWER Services\r\nASA 5508-X with FirePOWER Services\r\nASA 5516-X with FirePOWER Services\r\nFirepower 1000 Series Next-Generation Firewall\r\nFirepower 2100 Series Security Appliances\r\nFirepower 4100 Series Security Appliances\r\nFirepower 9300 Series Security Appliances\r\nSecure Firewall 3100\r\n\r\nAdditional information:\r\n\r\nThis vulnerability affects only Cisco ASA Software releases 9.16.1 and later and Cisco FTD Software releases 7.0.0 and later; all earlier software releases are not affected. If a customer is running Cisco ASA Software Release 9.15 or earlier or Cisco FTD Software Release 6.7 or earlier, the device is not considered vulnerable as long as none of the RSA keys present on the device were generated by a vulnerable software release.\r\nThis vulnerability applies to RSA keys only. Elliptic Curve Digital Signature Algorithm (ECDSA) keys and Edwards-curve Digital Signature Algorithm (EdDSA) keys are not vulnerable.\r\nThis vulnerability applies to all RSA keys that are stored in memory or flash on a vulnerable software release, which means an RSA key could become malformed or susceptible to the RSA private key leak during the following actions:\r\n\r\nWhen generating a new RSA key on a vulnerable software release\r\nWhen a good RSA key is upgraded from an earlier, non-vulnerable software release to a vulnerable software release\r\nWhen importing the RSA key on a vulnerable software release\r\n\r\n\r\nThus, any RSA key on a vulnerable software release, regardless of where it was originally generated, could be malformed (non-working but vulnerable to the RSA private key leak) or susceptible (valid but vulnerable to the RSA private key leak). If the RSA key was configured for use at any time, then it is possible the RSA private key has been leaked to malicious actors.\r\n Vulnerable Configurations\r\nIf an RSA key is flagged by the Cisco off-box detection script or any of the conditions noted in the Indicators of Compromise [\"#ic\"] section of this advisory, Cisco recommends that the RSA key be replaced and any certificates that use this RSA key pair be revoked and replaced. The following Cisco ASA and FTD Software features are known to be used with a configured RSA key; however, any flagged RSA key should be replaced on the device.\r\n\r\nASA Software\r\n\r\nIn the following table, the left column lists the Cisco ASA Software features that are potentially vulnerable if a malformed or susceptible RSA key is associated with that feature\u0027s configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.\r\n Cisco ASA Software Feature Possible Vulnerable Configuration Adaptive Security Device Manager (ASDM)1\r\nhttp server enable \u003cport\u003e\r\nhttp \u003cremote_ip_address\u003e \u003cremote_subnet_mask\u003e \u003cinterface_name\u003e\r\n AnyConnect SSL VPN\r\nwebvpn\r\n enable \u003cinterface_name\u003e\r\n Cisco Security Manager (CSM)1\r\nhttp server enable \u003cport\u003e\r\nhttp \u003cremote_ip_address\u003e \u003cremote_subnet_mask\u003e \u003cinterface_name\u003e\r\n Clientless SSL VPN (WebVPN)2\r\nwebvpn\r\n enable \u003cinterface_name\u003e\r\n Internet Key Exchange Version 1 (IKEv1) VPN (remote access and LAN-to-LAN) using certificate-based authentication\r\ncrypto ikev1 enable \u003cinterface_name\u003e\r\ncrypto ikev1 policy \u003cpriority\u003e\r\n authentication rsa-sig\r\ntunnel-group \u003ctunnel_group_name\u003e ipsec-attributes\r\n trust-point \u003ctrustpoint_name\u003e\r\n Internet Key Exchange Version 2 (IKEv2) VPN (remote access and LAN-to-LAN) using certificate-based authentication\r\ncrypto ikev2 enable \u003cinterface_name\u003e\r\ntunnel-group \u003ctunnel_group_name\u003e ipsec-attributes\r\n ikev2 remote-authentication certificate\r\n ikev2 local-authentication certificate \u003ctrustpoint_name\u003e\r\n Proxy Bypass\r\nwebvpn\r\n proxy-bypass\r\n TLS Proxy\r\ntls-proxy \u003cname\u003e\r\n REST API1\r\nrest-api image disk0:/\u003cimage name\u003e\r\nrest-api agent\r\n SSH Access3\r\nssh \u003cremote_ip_address\u003e \u003cremote_subnet_mask\u003e \u003cinterface_name\u003e\r\n\r\n1. ASDM, CSM, and REST API services are accessible only from an IP address in the configured http command range.\r\n2. Clientless SSL VPN is no longer supported in Cisco ASA Software releases 9.17(1) and later.\r\n3. SSH service is accessible only from an IP address in the configured ssh command range.\r\nFTD Software\r\n\r\nIn the following table, the left column lists the Cisco FTD Software features that are potentially affected if a malformed or susceptible RSA key is associated with that feature\u0027s configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.\r\n Cisco FTD Feature Possible Vulnerable Configuration AnyConnect SSL VPN1,2\r\nwebvpn\r\n enable \u003cinterface_name\r\n Clientless SSL VPN (WebVPN)2\r\nwebvpn\r\n enable \u003cinterface_name\u003e\r\n IKEv1 VPN (remote access and LAN-to-LAN) using certificate-based authentication1,2\r\ncrypto ikev1 enable \u003cinterface_name\u003e\r\ncrypto ikev1 policy \u003cpriority\u003e\r\n authentication rsa-sig\r\ntunnel-group \u003ctunnel_group_name\u003e ipsec-attributes\r\ntrust-point \u003ctrustpoint_name\u003e\r\n IKEv2 VPN (remote access and LAN-to-LAN) using certificate-based authentication1,2\r\ncrypto ikev2 enable \u003cinterface_name\u003e\r\ntunnel-group \u003ctunnel_group_name\u003e ipsec-attributes\r\n ikev2 remote-authentication certificate\r\n ikev2 local-authentication certificate \u003ctrustpoint_name\u003e\r\n\r\n1. Remote access VPN features are enabled through Devices \u003e VPN \u003e Remote Access in Cisco Firepower Management Center (FMC) Software or through Device \u003e Remote Access VPN in Cisco Firepower Device Manager (FDM).\r\n2. The Clientless SSL VPN feature is not supported as of Cisco FTD Software Release 7.1.0. However, for earlier Cisco FTD Software releases, it can be enabled using FlexConfig. Determine Whether the RSA Key Is Malformed or Susceptible\r\nTo determine whether the RSA key is malformed or susceptible, use the Cisco off-box detection script, which detects malformed or susceptible RSA keys for which the RSA private key could have been leaked. Customers can run this script on a local machine (not on a Cisco ASA or FTD device) without the sensitive key material ever leaving their environment.\r\n\r\nCisco recommends using this script when a device is running a vulnerable release of Cisco ASA or FTD Software and cannot be upgraded to a fixed software release immediately.\r\n\r\nTo use the script, do the following:\r\n\r\nExport the RSA key(s) that need testing from a potentially affected device.\r\nRun the script to identify whether any of the RSA keys are either malformed or susceptible to the RSA private key leak.\r\n\r\nFor the script and associated documentation, see https://github.com/CiscoPSIRT/CVE-2022-20866 [\"https://github.com/CiscoPSIRT/CVE-2022-20866\"].\r\n\r\nNote: If an RSA key is not currently configured but was previously configured on a vulnerable software release, then the RSA private key could have been leaked. Cisco recommends removing the RSA key and revoking any certificates that use this RSA key pair.",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect Cisco FMC Software.",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "Lenstra Side-Channel Attack\r\n\r\nIn 1996, Arjen Lenstra described an attack against Chinese remainder theorem optimization (RSA-CRT). This attack is possible if a fault happens during the computation of a cryptographic signature when using RSA-CRT optimization. An attacker could potentially recover the private key from the signature. This attack is also known as an RSA-CRT key leak. The Lenstra attack is a well-known side-channel attack. It does not attack the RSA algorithm directly but could exploit flaws in the implementation.\r\n\r\nFor additional information on the attack, see the Memo on RSA signature generation in the presence of faults [\"https://infoscience.epfl.ch/record/164524\"].\r\n\r\nThe vulnerability described in this advisory could result in an RSA key for which the Lenstra side-channel attack is successful, potentially allowing the attacker to derive the RSA private key.",
"title": "Details"
},
{
"category": "general",
"text": "These indicators of compromise are available on Cisco ASA or FTD Software fixed releases only. They are not available on previous software releases.\r\n\r\nWhen an affected device is upgraded to a fixed software release, some or all of these indicators may be present to alert an administrator that the device has an RSA key for which the RSA private key may have been leaked.\r\n How to Detect Malformed or Susceptible RSA Keys When Upgrading to a Fixed Software Release\r\nCritical Syslog Messages\r\n\r\nWhen an affected device is upgraded to a fixed software release, two new syslog messages will alert the administrator if malformed or potentially susceptible RSA keys are detected. These messages mean that the RSA key(s) flagged could have leaked the RSA private key. The new syslog messages are logged at the CRITICAL level and can be viewed by an administrator using the show logging CLI command. The ASA or FTD prefix is specific to the type of device the syslog is being displayed on. The new syslog messages will appear as follows:\r\n\r\n%ASA-1-717065: Keypair \u003cname\u003e is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and will be cleared in memory. Please remove this key.\r\n\r\n%FTD-1-717065: Keypair \u003cname\u003e is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and will be cleared in memory. Please remove this key.\r\n\r\nSyslog messages ASA-1-717065 and FTD-1-717065 indicate that a malformed RSA key was detected that was vulnerable to the RSA private key leak described in this security advisory. The malformed RSA key was disabled and cannot be used. This RSA key was not functional previously and must be replaced. Any certificates using this RSA key pair must also be revoked and replaced.\r\n\r\n%ASA-1-717066: Keypair \u003cname\u003e is valid but may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.\r\n\r\n%FTD-1-717066: Keypair \u003cname\u003e is valid but may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.\r\n\r\nSyslog messages ASA-1-717066 and FTD-1-717066 indicate that although the RSA key is not malformed, it was susceptible to the RSA private key leak described in this security advisory. It is highly recommended that this RSA key be replaced and any certificates using this RSA key pair be revoked and replaced.\r\n\r\nError Counters\r\n\r\nWhen an affected device is upgraded to a fixed software release, several new error counters will indicate if a malformed or susceptible RSA key is detected. To view these counters, use the show counters | grep PKI CLI command. The new error counters appear as follows:\r\n\r\n\r\nasaftd# show counters | grep PKI\r\n...\r\nPKI RSAKEY_INVAL_VULN 1 Summary\r\nPKI RSAKEY_INVAL_SCRUB 1 Summary\r\nPKI RSAKEY_INVAL_NOT_VULN 1 Summary\r\nPKI RSAKEY_VALID_SHORT 1 Summary\r\nPKI RSAKEY_ANALYSIS_ERROR 1 Summary\r\nPKI RSAKEY_SCRUB_ERROR 1 Summary\r\n\r\nThe meaning of each new error counter is as follows:\r\n\r\nRSAKEY_INVAL_VULN: Invalid vulnerable key detected\r\nRSAKEY_INVAL_SCRUB: Invalid vulnerable key cleared in memory\r\nRSAKEY_INVAL_NOT_VULN: Invalid key, not vulnerable\r\nRSAKEY_VALID_SHORT: Valid key vulnerable in previous affected versions\r\nRSAKEY_ANALYSIS_ERROR: An error occurred during analysis\r\nRSAKEY_SCRUB_ERROR: An error occurred while scrubbing a key\r\n\r\nThese counters are incremented when a corresponding syslog message is logged and require the affected RSA key to be replaced and any certificates using the RSA key pair to be revoked and replaced.\r\n\r\nDevice Boot Warnings\r\n\r\nAfter an affected device is upgraded to a fixed software release, one or more of the following console log messages may be observed during the boot sequence if a malformed or susceptible RSA key is detected:\r\n CRITICAL: RSA key \u003cname\u003e is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and has been cleared in memory. Please remove this key. CRITICAL: RSA key \u003cname\u003e may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.\r\nEach of these boot-time warnings will have a corresponding syslog message logged and requires the RSA key to be replaced and any certificates using the RSA key pair to be revoked and replaced.\r\n\r\nDebug Menu Commands\r\n\r\nAfter upgrading an affected Cisco ASA or FTD device to a fixed software release, use the new debug command debug menu pki 60 to parse all RSA keys on the device. The command output will display the state of each RSA key to show whether any of them may have been compromised. The Validity column gives the current status of each RSA key. The value INVALID in this column indicates that the RSA private key may have been leaked. An example of output from the debug command is as follows:\r\n\r\n\r\nasa# debug menu pki 60\r\nKey Name : Validity : Cisco RSA Malformed Key Vulnerability\r\n : : (CVE-2022-20866) exposure status\r\n------------------------ : --------- : -------------------------------------\r\n\u003cDefault-RSA-Key\u003e : Valid : No exposure characteristics\r\ntest1 : Valid : ** Possible exposure in earlier software versions\r\ntest3 : INVALID : No exposure characteristics\r\ntest8 : INVALID : ** Key generated by affected version, cleared in memory\r\ntets2 : ERROR : ** Error during analysis\r\ntest4 : INVALID : ** Has exposure characteristics\r\ntest5 : unknown : Key pair not analyzed\r\n\r\nUndetectable Malformed RSA Key\r\n\r\nIt is not possible to detect a malformed or susceptible RSA key that was used in the past and has since been removed. Some RSA keys may not have been functional due to being malformed, so during normal operations, they might have been removed and regenerated. If there is any concern that a malformed or susceptible RSA key was in use on a device in the past, ensure that any certificates using this RSA key pair have been revoked.",
"title": "Indicators of Compromise"
},
{
"category": "general",
"text": "There are no workarounds that address this vulnerability.",
"title": "Workarounds"
},
{
"category": "general",
"text": "Cisco has released free software updates [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu\"] that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.\r\n\r\nCustomers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:\r\nhttps://www.cisco.com/c/en/us/products/end-user-license-agreement.html [\"https://www.cisco.com/c/en/us/products/end-user-license-agreement.html\"]\r\n\r\nAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.\r\n\r\nThe Cisco Support and Downloads page [\"https://www.cisco.com/c/en/us/support/index.html\"] on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n Customers Without Service Contracts\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]\r\n\r\nCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n Fixed Releases\r\nIn the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.\r\n\r\nASA Software\r\n Cisco ASA Software Release First Fixed Release 9.15 and earlier1 Not vulnerable 9.16 9.16.3.19 9.17 9.17.1.13 9.18 9.18.2\r\n1. If a Cisco ASA device was upgraded to a vulnerable release and then downgraded to a non-vulnerable release\u2014for example, upgraded to Release 9.16.1 and then downgraded to Release 9.14.3.18\u2014the RSA keys on the non-vulnerable release could be malformed or susceptible because they were saved on a vulnerable release. If a Cisco ASA device has been upgraded and downgraded in this manner, please ensure that the RSA keys are valid.\r\nFTD Software\r\n Cisco FTD Software Release First Fixed Release 6.7.0 and earlier1 Not vulnerable 7.0.0 7.0.4 7.1.0 Cisco_FTD_Hotfix_P-7.1.0.2-2.sh.REL.tar\r\nCisco_FTD_SSP_FP1K_Hotfix_P-7.1.0.2-2.sh.REL.tar\r\nCisco_FTD_SSP_FP2K_Hotfix_P-7.1.0.2-2.sh.REL.tar\r\nCisco_FTD_SSP_Hotfix_P-7.1.0.2-2.sh.REL.tar\r\nCisco_FTD_SSP_FP3K_Hotfix_Q-7.1.0.3-2.sh.REL.tar 7.2.0 7.2.0.1\r\n1. If a Cisco FTD device was upgraded to a vulnerable release and then downgraded to a non-vulnerable release\u2014for example, upgraded to Release 7.0.0 and then downgraded to Release 6.4.0.15\u2014the RSA keys on the non-vulnerable release could be malformed or susceptible because they were saved on a vulnerable release. If a Cisco FTD device has been upgraded and downgraded in this manner, please ensure that the RSA keys are valid.\r\nFor instructions on upgrading a Cisco FTD device, see the Cisco Firepower Management Center Upgrade Guide [\"https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/getting_started.html\"].\r\n\r\nNote: See the Indicators of Compromise [\"#ic\"] section for more information on the detection of RSA keys that may have been compromised when upgrading to a fixed software release.\r\n\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "As the result of this vulnerability, Cisco ASA or FTD device administrators may need to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys. This is because it is possible the RSA private key has been leaked to a malicious actor. For additional assistance, see the following technical documentation:\r\n\r\nCisco ASA Software\r\n\r\nCisco ASA Series General Operations CLI Configuration Guide - Digital Certificates [\"https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/basic-certs.html\"]\r\nConfigure ASA: SSL Digital Certificate Installation and Renewal [\"https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html\"]\r\n\r\nCisco FTD Software\r\n\r\nCisco Firepower Threat Defense Configuration Guide for Firepower Device Manager - Certificates [\"https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-certificates.html\"]\r\nCertificate Installation and Renewal on FTD managed by FDM [\"https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html\"]\r\nInstall and Renew Certificates on FTD Managed by FMC [\"https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html\"]\r\n\r\nCustomers are advised to contact the Cisco TAC or their contracted maintenance providers if further assistance is needed.",
"title": "Recommendations"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco PSIRT is aware of a public announcement of the vulnerability that is described in this advisory.\r\n\r\nThe Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting this vulnerability.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
"issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software RSA Private Key Leak Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz"
},
{
"category": "external",
"summary": "https://github.com/CiscoPSIRT/CVE-2022-20866",
"url": "https://github.com/CiscoPSIRT/CVE-2022-20866"
},
{
"category": "external",
"summary": "Memo on RSA signature generation in the presence of faults",
"url": "https://infoscience.epfl.ch/record/164524"
},
{
"category": "external",
"summary": "free software updates",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html",
"url": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Support and Downloads page",
"url": "https://www.cisco.com/c/en/us/support/index.html"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html",
"url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Firepower Management Center Upgrade Guide",
"url": "https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/getting_started.html"
},
{
"category": "external",
"summary": "Cisco ASA Series General Operations CLI Configuration Guide - Digital Certificates",
"url": "https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/basic-certs.html"
},
{
"category": "external",
"summary": "Configure ASA: SSL Digital Certificate Installation and Renewal",
"url": "https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html"
},
{
"category": "external",
"summary": "Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager - Certificates",
"url": "https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-certificates.html"
},
{
"category": "external",
"summary": "Certificate Installation and Renewal on FTD managed by FDM",
"url": "https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html"
},
{
"category": "external",
"summary": "Install and Renew Certificates on FTD Managed by FMC",
"url": "https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
}
],
"title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software RSA Private Key Leak Vulnerability",
"tracking": {
"current_release_date": "2022-08-10T16:00:00+00:00",
"generator": {
"date": "2022-10-22T03:15:39+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz",
"initial_release_date": "2022-08-10T16:00:00+00:00",
"revision_history": [
{
"date": "2022-08-10T15:49:27+00:00",
"number": "1.0.0",
"summary": "Initial public release."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "service_pack",
"name": "9.16.1",
"product": {
"name": "9.16.1",
"product_id": "CSAFPID-283788"
}
},
{
"category": "service_pack",
"name": "9.16.1.28",
"product": {
"name": "9.16.1.28",
"product_id": "CSAFPID-284175"
}
},
{
"category": "service_pack",
"name": "9.16.2",
"product": {
"name": "9.16.2",
"product_id": "CSAFPID-284342"
}
},
{
"category": "service_pack",
"name": "9.16.2.3",
"product": {
"name": "9.16.2.3",
"product_id": "CSAFPID-284600"
}
},
{
"category": "service_pack",
"name": "9.16.2.7",
"product": {
"name": "9.16.2.7",
"product_id": "CSAFPID-286190"
}
},
{
"category": "service_pack",
"name": "9.16.2.11",
"product": {
"name": "9.16.2.11",
"product_id": "CSAFPID-286192"
}
},
{
"category": "service_pack",
"name": "9.16.2.13",
"product": {
"name": "9.16.2.13",
"product_id": "CSAFPID-286396"
}
},
{
"category": "service_pack",
"name": "9.16.2.14",
"product": {
"name": "9.16.2.14",
"product_id": "CSAFPID-286584"
}
},
{
"category": "service_pack",
"name": "9.16.3",
"product": {
"name": "9.16.3",
"product_id": "CSAFPID-286867"
}
},
{
"category": "service_pack",
"name": "9.16.3.3",
"product": {
"name": "9.16.3.3",
"product_id": "CSAFPID-286868"
}
},
{
"category": "service_pack",
"name": "9.16.3.14",
"product": {
"name": "9.16.3.14",
"product_id": "CSAFPID-286906"
}
},
{
"category": "service_pack",
"name": "9.16.3.15",
"product": {
"name": "9.16.3.15",
"product_id": "CSAFPID-287201"
}
}
],
"category": "product_version",
"name": "9.16"
},
{
"branches": [
{
"category": "service_pack",
"name": "9.17.1",
"product": {
"name": "9.17.1",
"product_id": "CSAFPID-285970"
}
},
{
"category": "service_pack",
"name": "9.17.1.7",
"product": {
"name": "9.17.1.7",
"product_id": "CSAFPID-286583"
}
},
{
"category": "service_pack",
"name": "9.17.1.9",
"product": {
"name": "9.17.1.9",
"product_id": "CSAFPID-286880"
}
},
{
"category": "service_pack",
"name": "9.17.1.10",
"product": {
"name": "9.17.1.10",
"product_id": "CSAFPID-287042"
}
},
{
"category": "service_pack",
"name": "9.17.1.11",
"product": {
"name": "9.17.1.11",
"product_id": "CSAFPID-288207"
}
}
],
"category": "product_version",
"name": "9.17"
},
{
"branches": [
{
"category": "service_pack",
"name": "9.18.1",
"product": {
"name": "9.18.1",
"product_id": "CSAFPID-287079"
}
},
{
"category": "service_pack",
"name": "9.18.1.3",
"product": {
"name": "9.18.1.3",
"product_id": "CSAFPID-287200"
}
}
],
"category": "product_version",
"name": "9.18"
}
],
"category": "product_family",
"name": "Cisco Adaptive Security Appliance (ASA) Software"
},
{
"category": "product_family",
"name": "Cisco Adaptive Security Appliance (ASA) Software",
"product": {
"name": "Cisco Adaptive Security Appliance (ASA) Software ",
"product_id": "CSAFPID-6588"
}
},
{
"branches": [
{
"branches": [
{
"category": "service_pack",
"name": "7.0.0",
"product": {
"name": "7.0.0",
"product_id": "CSAFPID-282695"
}
},
{
"category": "service_pack",
"name": "7.0.0.1",
"product": {
"name": "7.0.0.1",
"product_id": "CSAFPID-284277"
}
},
{
"category": "service_pack",
"name": "7.0.1",
"product": {
"name": "7.0.1",
"product_id": "CSAFPID-284789"
}
},
{
"category": "service_pack",
"name": "7.0.1.1",
"product": {
"name": "7.0.1.1",
"product_id": "CSAFPID-286538"
}
},
{
"category": "service_pack",
"name": "7.0.2",
"product": {
"name": "7.0.2",
"product_id": "CSAFPID-286930"
}
},
{
"category": "service_pack",
"name": "7.0.2.1",
"product": {
"name": "7.0.2.1",
"product_id": "CSAFPID-287122"
}
},
{
"category": "service_pack",
"name": "7.0.3",
"product": {
"name": "7.0.3",
"product_id": "CSAFPID-287181"
}
}
],
"category": "product_version",
"name": "7.0"
},
{
"branches": [
{
"category": "service_pack",
"name": "7.1.0",
"product": {
"name": "7.1.0",
"product_id": "CSAFPID-286091"
}
},
{
"category": "service_pack",
"name": "7.1.0.1",
"product": {
"name": "7.1.0.1",
"product_id": "CSAFPID-286543"
}
},
{
"category": "service_pack",
"name": "7.1.0.2",
"product": {
"name": "7.1.0.2",
"product_id": "CSAFPID-290467"
}
}
],
"category": "product_version",
"name": "7.1"
},
{
"branches": [
{
"category": "service_pack",
"name": "7.2.0",
"product": {
"name": "7.2.0",
"product_id": "CSAFPID-287081"
}
}
],
"category": "product_version",
"name": "7.2"
}
],
"category": "product_family",
"name": "Cisco Firepower Threat Defense Software"
},
{
"category": "product_family",
"name": "Cisco Firepower Threat Defense Software",
"product": {
"name": "Cisco Firepower Threat Defense Software ",
"product_id": "CSAFPID-220203"
}
},
{
"category": "product_name",
"name": "Cisco ASA 5500-X Series Firewalls",
"product": {
"name": "Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-277437"
}
},
{
"category": "product_name",
"name": "Cisco Firepower 9000 Series",
"product": {
"name": "Cisco Firepower 9000 Series",
"product_id": "CSAFPID-277440"
}
},
{
"category": "product_name",
"name": "Cisco Firepower 2100 Series",
"product": {
"name": "Cisco Firepower 2100 Series",
"product_id": "CSAFPID-277392"
}
},
{
"category": "product_name",
"name": "Cisco Firepower 1000 Series",
"product": {
"name": "Cisco Firepower 1000 Series",
"product_id": "CSAFPID-277393"
}
},
{
"category": "product_name",
"name": "Cisco Firepower 4100 Series",
"product": {
"name": "Cisco Firepower 4100 Series",
"product_id": "CSAFPID-277441"
}
},
{
"category": "product_name",
"name": "Cisco Secure Firewall 3100 Series",
"product": {
"name": "Cisco Secure Firewall 3100 Series",
"product_id": "CSAFPID-286865"
}
}
],
"category": "vendor",
"name": "Cisco"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.1 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-283788:277437"
},
"product_reference": "CSAFPID-283788",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-283788:277440"
},
"product_reference": "CSAFPID-283788",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.1.28 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-284175:277437"
},
"product_reference": "CSAFPID-284175",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.1.28 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-284175:277440"
},
"product_reference": "CSAFPID-284175",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-284342:277437"
},
"product_reference": "CSAFPID-284342",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-284342:277440"
},
"product_reference": "CSAFPID-284342",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.3 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-284600:277437"
},
"product_reference": "CSAFPID-284600",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.3 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-284600:277440"
},
"product_reference": "CSAFPID-284600",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.7 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286190:277437"
},
"product_reference": "CSAFPID-286190",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.7 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286190:277440"
},
"product_reference": "CSAFPID-286190",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.11 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286192:277437"
},
"product_reference": "CSAFPID-286192",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.11 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286192:277440"
},
"product_reference": "CSAFPID-286192",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.13 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286396:277437"
},
"product_reference": "CSAFPID-286396",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.13 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286396:277440"
},
"product_reference": "CSAFPID-286396",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.14 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286584:277437"
},
"product_reference": "CSAFPID-286584",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.2.14 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286584:277440"
},
"product_reference": "CSAFPID-286584",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286867:277437"
},
"product_reference": "CSAFPID-286867",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286867:277440"
},
"product_reference": "CSAFPID-286867",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3.3 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286868:277437"
},
"product_reference": "CSAFPID-286868",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3.3 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286868:277440"
},
"product_reference": "CSAFPID-286868",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3.14 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286906:277437"
},
"product_reference": "CSAFPID-286906",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3.14 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286906:277440"
},
"product_reference": "CSAFPID-286906",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3.15 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-287201:277437"
},
"product_reference": "CSAFPID-287201",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.16.3.15 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-287201:277440"
},
"product_reference": "CSAFPID-287201",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.17.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-285970:277440"
},
"product_reference": "CSAFPID-285970",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.17.1.7 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286583:277440"
},
"product_reference": "CSAFPID-286583",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.17.1.9 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286880:277440"
},
"product_reference": "CSAFPID-286880",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.17.1.10 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-287042:277440"
},
"product_reference": "CSAFPID-287042",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.17.1.11 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-288207:277440"
},
"product_reference": "CSAFPID-288207",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.18.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-287079:277440"
},
"product_reference": "CSAFPID-287079",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Adaptive Security Appliance (ASA) Software 9.18.1.3 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-287200:277440"
},
"product_reference": "CSAFPID-287200",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-282695:277392"
},
"product_reference": "CSAFPID-282695",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-282695:277393"
},
"product_reference": "CSAFPID-282695",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-282695:277437"
},
"product_reference": "CSAFPID-282695",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-282695:277440"
},
"product_reference": "CSAFPID-282695",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-282695:277441"
},
"product_reference": "CSAFPID-282695",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0.1 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-284277:277392"
},
"product_reference": "CSAFPID-284277",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0.1 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-284277:277393"
},
"product_reference": "CSAFPID-284277",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0.1 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-284277:277437"
},
"product_reference": "CSAFPID-284277",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-284277:277440"
},
"product_reference": "CSAFPID-284277",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.0.1 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-284277:277441"
},
"product_reference": "CSAFPID-284277",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-284789:277392"
},
"product_reference": "CSAFPID-284789",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-284789:277393"
},
"product_reference": "CSAFPID-284789",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-284789:277437"
},
"product_reference": "CSAFPID-284789",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-284789:277440"
},
"product_reference": "CSAFPID-284789",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-284789:277441"
},
"product_reference": "CSAFPID-284789",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1.1 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-286538:277392"
},
"product_reference": "CSAFPID-286538",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1.1 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-286538:277393"
},
"product_reference": "CSAFPID-286538",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1.1 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286538:277437"
},
"product_reference": "CSAFPID-286538",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286538:277440"
},
"product_reference": "CSAFPID-286538",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.1.1 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-286538:277441"
},
"product_reference": "CSAFPID-286538",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-286930:277392"
},
"product_reference": "CSAFPID-286930",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-286930:277393"
},
"product_reference": "CSAFPID-286930",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-286930:277437"
},
"product_reference": "CSAFPID-286930",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286930:277440"
},
"product_reference": "CSAFPID-286930",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-286930:277441"
},
"product_reference": "CSAFPID-286930",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2.1 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-287122:277392"
},
"product_reference": "CSAFPID-287122",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2.1 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-287122:277393"
},
"product_reference": "CSAFPID-287122",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2.1 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-287122:277437"
},
"product_reference": "CSAFPID-287122",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-287122:277440"
},
"product_reference": "CSAFPID-287122",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.2.1 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-287122:277441"
},
"product_reference": "CSAFPID-287122",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.3 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-287181:277392"
},
"product_reference": "CSAFPID-287181",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.3 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-287181:277393"
},
"product_reference": "CSAFPID-287181",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.3 when installed on Cisco ASA 5500-X Series Firewalls",
"product_id": "CSAFPID-287181:277437"
},
"product_reference": "CSAFPID-287181",
"relates_to_product_reference": "CSAFPID-277437"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.3 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-287181:277440"
},
"product_reference": "CSAFPID-287181",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.0.3 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-287181:277441"
},
"product_reference": "CSAFPID-287181",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-286091:277392"
},
"product_reference": "CSAFPID-286091",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-286091:277393"
},
"product_reference": "CSAFPID-286091",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286091:277440"
},
"product_reference": "CSAFPID-286091",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-286091:277441"
},
"product_reference": "CSAFPID-286091",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0 when installed on Cisco Secure Firewall 3100 Series",
"product_id": "CSAFPID-286091:286865"
},
"product_reference": "CSAFPID-286091",
"relates_to_product_reference": "CSAFPID-286865"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0.1 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-286543:277392"
},
"product_reference": "CSAFPID-286543",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0.1 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-286543:277393"
},
"product_reference": "CSAFPID-286543",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0.1 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-286543:277440"
},
"product_reference": "CSAFPID-286543",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0.1 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-286543:277441"
},
"product_reference": "CSAFPID-286543",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.1.0.2 when installed on Cisco Secure Firewall 3100 Series",
"product_id": "CSAFPID-290467:286865"
},
"product_reference": "CSAFPID-290467",
"relates_to_product_reference": "CSAFPID-286865"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.2.0 when installed on Cisco Firepower 2100 Series",
"product_id": "CSAFPID-287081:277392"
},
"product_reference": "CSAFPID-287081",
"relates_to_product_reference": "CSAFPID-277392"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.2.0 when installed on Cisco Firepower 1000 Series",
"product_id": "CSAFPID-287081:277393"
},
"product_reference": "CSAFPID-287081",
"relates_to_product_reference": "CSAFPID-277393"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.2.0 when installed on Cisco Firepower 9000 Series",
"product_id": "CSAFPID-287081:277440"
},
"product_reference": "CSAFPID-287081",
"relates_to_product_reference": "CSAFPID-277440"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.2.0 when installed on Cisco Firepower 4100 Series",
"product_id": "CSAFPID-287081:277441"
},
"product_reference": "CSAFPID-287081",
"relates_to_product_reference": "CSAFPID-277441"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Cisco Firepower Threat Defense Software 7.2.0 when installed on Cisco Secure Firewall 3100 Series",
"product_id": "CSAFPID-287081:286865"
},
"product_reference": "CSAFPID-287081",
"relates_to_product_reference": "CSAFPID-286865"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-20866",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCwb88651"
},
{
"system_name": "Cisco Bug ID",
"text": "CSCwc28334"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-220203",
"CSAFPID-282695:277392",
"CSAFPID-282695:277393",
"CSAFPID-282695:277437",
"CSAFPID-282695:277440",
"CSAFPID-282695:277441",
"CSAFPID-284277:277392",
"CSAFPID-284277:277393",
"CSAFPID-284277:277437",
"CSAFPID-284277:277440",
"CSAFPID-284277:277441",
"CSAFPID-284789:277392",
"CSAFPID-284789:277393",
"CSAFPID-284789:277437",
"CSAFPID-284789:277440",
"CSAFPID-284789:277441",
"CSAFPID-286091:277392",
"CSAFPID-286091:277393",
"CSAFPID-286091:277440",
"CSAFPID-286091:277441",
"CSAFPID-286091:286865",
"CSAFPID-286538:277392",
"CSAFPID-286538:277393",
"CSAFPID-286538:277437",
"CSAFPID-286538:277440",
"CSAFPID-286538:277441",
"CSAFPID-286543:277392",
"CSAFPID-286543:277393",
"CSAFPID-286543:277440",
"CSAFPID-286543:277441",
"CSAFPID-286930:277392",
"CSAFPID-286930:277393",
"CSAFPID-286930:277437",
"CSAFPID-286930:277440",
"CSAFPID-286930:277441",
"CSAFPID-287081:277392",
"CSAFPID-287081:277393",
"CSAFPID-287081:277440",
"CSAFPID-287081:277441",
"CSAFPID-287081:286865",
"CSAFPID-287122:277392",
"CSAFPID-287122:277393",
"CSAFPID-287122:277437",
"CSAFPID-287122:277440",
"CSAFPID-287122:277441",
"CSAFPID-287181:277392",
"CSAFPID-287181:277393",
"CSAFPID-287181:277437",
"CSAFPID-287181:277440",
"CSAFPID-287181:277441",
"CSAFPID-290467:286865",
"CSAFPID-283788:277437",
"CSAFPID-283788:277440",
"CSAFPID-284175:277437",
"CSAFPID-284175:277440",
"CSAFPID-284342:277437",
"CSAFPID-284342:277440",
"CSAFPID-284600:277437",
"CSAFPID-284600:277440",
"CSAFPID-285970:277440",
"CSAFPID-286190:277437",
"CSAFPID-286190:277440",
"CSAFPID-286192:277437",
"CSAFPID-286192:277440",
"CSAFPID-286396:277437",
"CSAFPID-286396:277440",
"CSAFPID-286583:277440",
"CSAFPID-286584:277437",
"CSAFPID-286584:277440",
"CSAFPID-286867:277437",
"CSAFPID-286867:277440",
"CSAFPID-286868:277437",
"CSAFPID-286868:277440",
"CSAFPID-286880:277440",
"CSAFPID-286906:277437",
"CSAFPID-286906:277440",
"CSAFPID-287042:277440",
"CSAFPID-287079:277440",
"CSAFPID-287200:277440",
"CSAFPID-287201:277437",
"CSAFPID-287201:277440",
"CSAFPID-288207:277440",
"CSAFPID-6588"
]
},
"release_date": "2022-08-10T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-220203",
"CSAFPID-282695:277392",
"CSAFPID-282695:277393",
"CSAFPID-282695:277437",
"CSAFPID-282695:277440",
"CSAFPID-282695:277441",
"CSAFPID-284277:277392",
"CSAFPID-284277:277393",
"CSAFPID-284277:277437",
"CSAFPID-284277:277440",
"CSAFPID-284277:277441",
"CSAFPID-284789:277392",
"CSAFPID-284789:277393",
"CSAFPID-284789:277437",
"CSAFPID-284789:277440",
"CSAFPID-284789:277441",
"CSAFPID-286091:277392",
"CSAFPID-286091:277393",
"CSAFPID-286091:277440",
"CSAFPID-286091:277441",
"CSAFPID-286091:286865",
"CSAFPID-286538:277392",
"CSAFPID-286538:277393",
"CSAFPID-286538:277437",
"CSAFPID-286538:277440",
"CSAFPID-286538:277441",
"CSAFPID-286543:277392",
"CSAFPID-286543:277393",
"CSAFPID-286543:277440",
"CSAFPID-286543:277441",
"CSAFPID-286930:277392",
"CSAFPID-286930:277393",
"CSAFPID-286930:277437",
"CSAFPID-286930:277440",
"CSAFPID-286930:277441",
"CSAFPID-287081:277392",
"CSAFPID-287081:277393",
"CSAFPID-287081:277440",
"CSAFPID-287081:277441",
"CSAFPID-287081:286865",
"CSAFPID-287122:277392",
"CSAFPID-287122:277393",
"CSAFPID-287122:277437",
"CSAFPID-287122:277440",
"CSAFPID-287122:277441",
"CSAFPID-287181:277392",
"CSAFPID-287181:277393",
"CSAFPID-287181:277437",
"CSAFPID-287181:277440",
"CSAFPID-287181:277441",
"CSAFPID-290467:286865",
"CSAFPID-283788:277437",
"CSAFPID-283788:277440",
"CSAFPID-284175:277437",
"CSAFPID-284175:277440",
"CSAFPID-284342:277437",
"CSAFPID-284342:277440",
"CSAFPID-284600:277437",
"CSAFPID-284600:277440",
"CSAFPID-285970:277440",
"CSAFPID-286190:277437",
"CSAFPID-286190:277440",
"CSAFPID-286192:277437",
"CSAFPID-286192:277440",
"CSAFPID-286396:277437",
"CSAFPID-286396:277440",
"CSAFPID-286583:277440",
"CSAFPID-286584:277437",
"CSAFPID-286584:277440",
"CSAFPID-286867:277437",
"CSAFPID-286867:277440",
"CSAFPID-286868:277437",
"CSAFPID-286868:277440",
"CSAFPID-286880:277440",
"CSAFPID-286906:277437",
"CSAFPID-286906:277440",
"CSAFPID-287042:277440",
"CSAFPID-287079:277440",
"CSAFPID-287200:277440",
"CSAFPID-287201:277437",
"CSAFPID-287201:277440",
"CSAFPID-288207:277440",
"CSAFPID-6588"
],
"url": "https://software.cisco.com"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-220203",
"CSAFPID-282695:277392",
"CSAFPID-282695:277393",
"CSAFPID-282695:277437",
"CSAFPID-282695:277440",
"CSAFPID-282695:277441",
"CSAFPID-284277:277392",
"CSAFPID-284277:277393",
"CSAFPID-284277:277437",
"CSAFPID-284277:277440",
"CSAFPID-284277:277441",
"CSAFPID-284789:277392",
"CSAFPID-284789:277393",
"CSAFPID-284789:277437",
"CSAFPID-284789:277440",
"CSAFPID-284789:277441",
"CSAFPID-286091:277392",
"CSAFPID-286091:277393",
"CSAFPID-286091:277440",
"CSAFPID-286091:277441",
"CSAFPID-286091:286865",
"CSAFPID-286538:277392",
"CSAFPID-286538:277393",
"CSAFPID-286538:277437",
"CSAFPID-286538:277440",
"CSAFPID-286538:277441",
"CSAFPID-286543:277392",
"CSAFPID-286543:277393",
"CSAFPID-286543:277440",
"CSAFPID-286543:277441",
"CSAFPID-286930:277392",
"CSAFPID-286930:277393",
"CSAFPID-286930:277437",
"CSAFPID-286930:277440",
"CSAFPID-286930:277441",
"CSAFPID-287081:277392",
"CSAFPID-287081:277393",
"CSAFPID-287081:277440",
"CSAFPID-287081:277441",
"CSAFPID-287081:286865",
"CSAFPID-287122:277392",
"CSAFPID-287122:277393",
"CSAFPID-287122:277437",
"CSAFPID-287122:277440",
"CSAFPID-287122:277441",
"CSAFPID-287181:277392",
"CSAFPID-287181:277393",
"CSAFPID-287181:277437",
"CSAFPID-287181:277440",
"CSAFPID-287181:277441",
"CSAFPID-290467:286865",
"CSAFPID-283788:277437",
"CSAFPID-283788:277440",
"CSAFPID-284175:277437",
"CSAFPID-284175:277440",
"CSAFPID-284342:277437",
"CSAFPID-284342:277440",
"CSAFPID-284600:277437",
"CSAFPID-284600:277440",
"CSAFPID-285970:277440",
"CSAFPID-286190:277437",
"CSAFPID-286190:277440",
"CSAFPID-286192:277437",
"CSAFPID-286192:277440",
"CSAFPID-286396:277437",
"CSAFPID-286396:277440",
"CSAFPID-286583:277440",
"CSAFPID-286584:277437",
"CSAFPID-286584:277440",
"CSAFPID-286867:277437",
"CSAFPID-286867:277440",
"CSAFPID-286868:277437",
"CSAFPID-286868:277440",
"CSAFPID-286880:277440",
"CSAFPID-286906:277437",
"CSAFPID-286906:277440",
"CSAFPID-287042:277440",
"CSAFPID-287079:277440",
"CSAFPID-287200:277440",
"CSAFPID-287201:277437",
"CSAFPID-287201:277440",
"CSAFPID-288207:277440",
"CSAFPID-6588"
]
}
],
"title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Hardware Cryptographic RSA Malformed Key Vulnerability"
}
]
}
Loading...