Vulnslist

find the latest Cisco vulnerabilities

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability

cisco-sa-asaftd-ipsec-mitm-CKnLr4 · High · Published · Updated

A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel. This vulnerability is due to an improper implementation of Galois/Counter Mode (GCM) ciphers. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a sufficient number of encrypted messages across an affected IPsec IKEv2 VPN tunnel and then using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to decrypt, read, modify, and re-encrypt data that is transmitted across an affected IPsec IKEv2 VPN tunnel. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipsec-mitm-CKnLr4 This advisory is part of the April 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Cisco advisory ·CSAF JSON

Workarounds

There is a workaround that addresses this vulnerability. To remove the attack vector for this vulnerability, reconfigure all existing IPsec IKEv2 proposals to use a non-GCM cipher.

For example, if you have the following IPsec IKEv2 proposal configured:

firewall# show running-config crypto ipsec
crypto ipsec ikev2 ipsec-proposal AES-GCM
protocol esp encryption aes-gcm
protocol esp integrity null

Reconfigure that as follows:

firewall# configure terminal
firewall(config)# crypto ipsec ikev2 ipsec-proposal AES-GCM
firewall(config-ipsec-proposal)# protocol esp integrity sha-256
WARNING: GCM\GMAC are authenticated encryption algorithms.esp integrity config is ignored
firewall(config-ipsec-proposal)# protocol esp encryption aes-256
firewall# show running-config crypto ipsec
crypto ipsec ikev2 ipsec-proposal AES-GCM
protocol esp encryption aes-256
protocol esp integrity sha-256

Note: GCM ciphers are inherently authenticated, thus the configured integrity algorithm is ignored for these ciphers and the null cipher is recommended. When changing to a non-GCM cipher, first configure a valid integrity algorithm as well.

For all available options, see Cisco ASA Series Command Reference https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/pr-pz-commands.html#wp3024205846 .

For LAN-to-LAN IPsec IKEv2 VPN connections, match the configuration on the remote side accordingly to ensure that the VPN tunnels keep working.

To completely close the attack vector, force all existing IPsec IKEv2 VPN connections to log off and then re-establish their session using the new ciphers as follows:

firewall# vpn-sessiondb logoff protocol ikev2
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with protocol "IKEv2" logged off : 0

Note: Using this command will force all existing IPsec IKEv2 VPN tunnels to be torn down. This will cause intermittent packet loss across the affected VPN tunnels until those tunnels are re-established.

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2022-20742
Cisco Bug IDsCSCvz81480
CVSS ScoreBase 7.4
Base 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.1, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.1.2, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.1.3, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.2, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.2.4, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.2.5, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.2.9, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.3, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.3.2, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.3.7, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.3.12, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.3.9, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.2.1, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.2, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.4, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.7, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.10, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.13, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.18, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.24, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.26, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.29, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.30, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.12.4.35, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.1, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.1.10, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.1.15, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.1.19, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.1.30, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.2, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.2.4, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.2.8, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.2.13, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.2.15, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.3, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.3.1, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.3.9, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.14.3.11, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.16.1, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.16.1.28, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.16.2, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 9.16.2.3, Cisco Secure Firewall Threat Defense (FTD) Software 6.6.0, Cisco Secure Firewall Threat Defense (FTD) Software 6.6.0.1, Cisco Secure Firewall Threat Defense (FTD) Software 6.6.1, Cisco Secure Firewall Threat Defense (FTD) Software 6.6.3, Cisco Secure Firewall Threat Defense (FTD) Software 6.6.4, Cisco Secure Firewall Threat Defense (FTD) Software 6.6.5, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.1, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.3, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.2, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.4, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.5, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.6, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.7, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.8, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.9, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.10, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.11, Cisco Secure Firewall Threat Defense (FTD) Software 6.4.0.12, Cisco Secure Firewall Threat Defense (FTD) Software 7.0.0, Cisco Secure Firewall Threat Defense (FTD) Software 7.0.0.1, Cisco Secure Firewall Threat Defense (FTD) Software 7.0.1, Cisco Secure Firewall Threat Defense (FTD) Software 7.0.1.1, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco Firepower 9000 Series, Cisco Firepower 4100 Series

Related Products

Product CVE Evidence