Cisco Security Advisory

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software RSA Private Key Leak Vulnerability

High

Advisory ID:

cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz

First Published:

2022 August 10 16:00 GMT

Version 1.0:

Final

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCwb88651

CSCwc28334

CVE-2022-20866

CWE-203

CVSS Score:

Base 7.4

CVE-2022-20866

CWE-203

Download CSAF

Summary

A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key.

This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key.

The following conditions may be observed on an affected device:
- This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key.
- The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise section for more information on the detection of this type of RSA key.
- The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz

Affected Products

Vulnerable Products

This vulnerability affects the following Cisco products, which perform hardware-based cryptographic functions, if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software:

ASA 5506-X with FirePOWER Services
ASA 5506H-X with FirePOWER Services
ASA 5506W-X with FirePOWER Services
ASA 5508-X with FirePOWER Services
ASA 5516-X with FirePOWER Services
Firepower 1000 Series Next-Generation Firewall
Firepower 2100 Series Security Appliances
Firepower 4100 Series Security Appliances
Firepower 9300 Series Security Appliances
Secure Firewall 3100

Additional information:

This vulnerability affects only Cisco ASA Software releases 9.16.1 and later and Cisco FTD Software releases 7.0.0 and later; all earlier software releases are not affected. If a customer is running Cisco ASA Software Release 9.15 or earlier or Cisco FTD Software Release 6.7 or earlier, the device is not considered vulnerable as long as none of the RSA keys present on the device were generated by a vulnerable software release.
This vulnerability applies to RSA keys only. Elliptic Curve Digital Signature Algorithm (ECDSA) keys and Edwards-curve Digital Signature Algorithm (EdDSA) keys are not vulnerable.
This vulnerability applies to all RSA keys that are stored in memory or flash on a vulnerable software release, which means an RSA key could become malformed or susceptible to the RSA private key leak during the following actions:

- When generating a new RSA key on a vulnerable software release
- When a good RSA key is upgraded from an earlier, non-vulnerable software release to a vulnerable software release
- When importing the RSA key on a vulnerable software release

Thus, any RSA key on a vulnerable software release, regardless of where it was originally generated, could be malformed (non-working but vulnerable to the RSA private key leak) or susceptible (valid but vulnerable to the RSA private key leak). If the RSA key was configured for use at any time, then it is possible the RSA private key has been leaked to malicious actors.

Vulnerable Configurations

If an RSA key is flagged by the Cisco off-box detection script or any of the conditions noted in the Indicators of Compromise section of this advisory, Cisco recommends that the RSA key be replaced and any certificates that use this RSA key pair be revoked and replaced. The following Cisco ASA and FTD Software features are known to be used with a configured RSA key; however, any flagged RSA key should be replaced on the device.

ASA Software

In the following table, the left column lists the Cisco ASA Software features that are potentially vulnerable if a malformed or susceptible RSA key is associated with that feature's configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.

Cisco ASA Software Feature	Possible Vulnerable Configuration
Adaptive Security Device Manager (ASDM)¹	http server enable http
AnyConnect SSL VPN	webvpn enable
Cisco Security Manager (CSM)¹	http server enable http
Clientless SSL VPN (WebVPN)²	webvpn enable
Internet Key Exchange Version 1 (IKEv1) VPN (remote access and LAN-to-LAN) using certificate-based authentication	crypto ikev1 enable crypto ikev1 policy authentication rsa-sig tunnel-group ipsec-attributes trust-point
Internet Key Exchange Version 2 (IKEv2) VPN (remote access and LAN-to-LAN) using certificate-based authentication	crypto ikev2 enable tunnel-group ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate
Proxy Bypass	webvpn proxy-bypass
TLS Proxy	tls-proxy
REST API¹	rest-api image disk0:/ rest-api agent
SSH Access³	ssh

1. ASDM, CSM, and REST API services are accessible only from an IP address in the configured http command range.

2. Clientless SSL VPN is no longer supported in Cisco ASA Software releases 9.17(1) and later.

3. SSH service is accessible only from an IP address in the configured ssh command range.

FTD Software

In the following table, the left column lists the Cisco FTD Software features that are potentially affected if a malformed or susceptible RSA key is associated with that feature's configuration. The right column indicates the basic configuration for the feature from the show running-config CLI command, if it can be determined.

Cisco FTD Feature	Possible Vulnerable Configuration
AnyConnect SSL VPN^1,2	webvpn enable
Clientless SSL VPN (WebVPN)²	webvpn enable
IKEv1 VPN (remote access and LAN-to-LAN) using certificate-based authentication^1,2	crypto ikev1 enable crypto ikev1 policy authentication rsa-sig tunnel-group ipsec-attributes trust-point
IKEv2 VPN (remote access and LAN-to-LAN) using certificate-based authentication^1,2	crypto ikev2 enable tunnel-group ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate

1. Remote access VPN features are enabled through Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) Software or through Device > Remote Access VPN in Cisco Firepower Device Manager (FDM).

2. The Clientless SSL VPN feature is not supported as of Cisco FTD Software Release 7.1.0. However, for earlier Cisco FTD Software releases, it can be enabled using FlexConfig.

Determine Whether the RSA Key Is Malformed or Susceptible

To determine whether the RSA key is malformed or susceptible, use the Cisco off-box detection script, which detects malformed or susceptible RSA keys for which the RSA private key could have been leaked. Customers can run this script on a local machine (not on a Cisco ASA or FTD device) without the sensitive key material ever leaving their environment.

Cisco recommends using this script when a device is running a vulnerable release of Cisco ASA or FTD Software and cannot be upgraded to a fixed software release immediately.

To use the script, do the following:

Export the RSA key(s) that need testing from a potentially affected device.
Run the script to identify whether any of the RSA keys are either malformed or susceptible to the RSA private key leak.

For the script and associated documentation, see https://github.com/CiscoPSIRT/CVE-2022-20866.

Note: If an RSA key is not currently configured but was previously configured on a vulnerable software release, then the RSA private key could have been leaked. Cisco recommends removing the RSA key and revoking any certificates that use this RSA key pair.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco FMC Software.

Details

Lenstra Side-Channel Attack

In 1996, Arjen Lenstra described an attack against Chinese remainder theorem optimization (RSA-CRT). This attack is possible if a fault happens during the computation of a cryptographic signature when using RSA-CRT optimization. An attacker could potentially recover the private key from the signature. This attack is also known as an RSA-CRT key leak. The Lenstra attack is a well-known side-channel attack. It does not attack the RSA algorithm directly but could exploit flaws in the implementation.

For additional information on the attack, see the Memo on RSA signature generation in the presence of faults.

The vulnerability described in this advisory could result in an RSA key for which the Lenstra side-channel attack is successful, potentially allowing the attacker to derive the RSA private key.

Indicators of Compromise

These indicators of compromise are available on Cisco ASA or FTD Software fixed releases only. They are not available on previous software releases.

When an affected device is upgraded to a fixed software release, some or all of these indicators may be present to alert an administrator that the device has an RSA key for which the RSA private key may have been leaked.

How to Detect Malformed or Susceptible RSA Keys When Upgrading to a Fixed Software Release

Critical Syslog Messages

When an affected device is upgraded to a fixed software release, two new syslog messages will alert the administrator if malformed or potentially susceptible RSA keys are detected. These messages mean that the RSA key(s) flagged could have leaked the RSA private key. The new syslog messages are logged at the CRITICAL level and can be viewed by an administrator using the show logging CLI command. The ASA or FTD prefix is specific to the type of device the syslog is being displayed on. The new syslog messages will appear as follows:

%ASA-1-717065: Keypair is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and will be cleared in memory. Please remove this key.

%FTD-1-717065: Keypair is invalid due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866) and will be cleared in memory. Please remove this key.

Syslog messages ASA-1-717065 and FTD-1-717065 indicate that a malformed RSA key was detected that was vulnerable to the RSA private key leak described in this security advisory. The malformed RSA key was disabled and cannot be used. This RSA key was not functional previously and must be replaced. Any certificates using this RSA key pair must also be revoked and replaced.

%ASA-1-717066: Keypair is valid but may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.

%FTD-1-717066: Keypair is valid but may have been vulnerable to exposure in previous versions due to the Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866). Please remove this key.

Syslog messages ASA-1-717066 and FTD-1-717066 indicate that although the RSA key is not malformed, it was susceptible to the RSA private key leak described in this security advisory. It is highly recommended that this RSA key be replaced and any certificates using this RSA key pair be revoked and replaced.

Error Counters

When an affected device is upgraded to a fixed software release, several new error counters will indicate if a malformed or susceptible RSA key is detected. To view these counters, use the show counters | grep PKI CLI command. The new error counters appear as follows:

asaftd# show counters | grep PKI
...
PKI          RSAKEY_INVAL_VULN                        1   Summary
PKI          RSAKEY_INVAL_SCRUB                       1   Summary
PKI          RSAKEY_INVAL_NOT_VULN                    1   Summary
PKI          RSAKEY_VALID_SHORT                       1   Summary
PKI          RSAKEY_ANALYSIS_ERROR                    1   Summary
PKI          RSAKEY_SCRUB_ERROR                       1   Summary

The meaning of each new error counter is as follows:

RSAKEY_INVAL_VULN: Invalid vulnerable key detected
RSAKEY_INVAL_SCRUB: Invalid vulnerable key cleared in memory
RSAKEY_INVAL_NOT_VULN: Invalid key, not vulnerable
RSAKEY_VALID_SHORT: Valid key vulnerable in previous affected versions
RSAKEY_ANALYSIS_ERROR: An error occurred during analysis
RSAKEY_SCRUB_ERROR: An error occurred while scrubbing a key

These counters are incremented when a corresponding syslog message is logged and require the affected RSA key to be replaced and any certificates using the RSA key pair to be revoked and replaced.

Device Boot Warnings

After an affected device is upgraded to a fixed software release, one or more of the following console log messages may be observed during the boot sequence if a malformed or susceptible RSA key is detected:

CRITICAL:	RSA key is invalid due to the
	Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866)
	and has been cleared in memory. Please remove this key.

CRITICAL:	RSA key may have been vulnerable to
	exposure in previous versions due to the
	Cisco RSA Private Key Leak Vulnerability (CVE-2022-20866).
	Please remove this key.

Each of these boot-time warnings will have a corresponding syslog message logged and requires the RSA key to be replaced and any certificates using the RSA key pair to be revoked and replaced.

Debug Menu Commands

After upgrading an affected Cisco ASA or FTD device to a fixed software release, use the new debug command debug menu pki 60 to parse all RSA keys on the device. The command output will display the state of each RSA key to show whether any of them may have been compromised. The Validity column gives the current status of each RSA key. The value INVALID in this column indicates that the RSA private key may have been leaked. An example of output from the debug command is as follows:

asa# debug menu pki 60
Key Name                 : Validity  : Cisco RSA Malformed Key Vulnerability 
                         :           : (CVE-2022-20866) exposure status
------------------------ : --------- : -------------------------------------
        : Valid     : No exposure characteristics
test1                    : Valid     : ** Possible exposure in earlier software versions
test3                    : INVALID   : No exposure characteristics
test8                    : INVALID   : ** Key generated by affected version, cleared in memory
tets2                    : ERROR     : ** Error during analysis
test4                    : INVALID   : ** Has exposure characteristics
test5                    : unknown   : Key pair not analyzed

Undetectable Malformed RSA Key

It is not possible to detect a malformed or susceptible RSA key that was used in the past and has since been removed. Some RSA keys may not have been functional due to being malformed, so during normal operations, they might have been removed and regenerated. If there is any concern that a malformed or susceptible RSA key was in use on a device in the past, ensure that any certificates using this RSA key pair have been revoked.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.

ASA Software

Cisco ASA Software Release	First Fixed Release
9.15 and earlier¹	Not vulnerable
9.16	9.16.3.19
9.17	9.17.1.13
9.18	9.18.2

1. If a Cisco ASA device was upgraded to a vulnerable release and then downgraded to a non-vulnerable release-for example, upgraded to Release 9.16.1 and then downgraded to Release 9.14.3.18-the RSA keys on the non-vulnerable release could be malformed or susceptible because they were saved on a vulnerable release. If a Cisco ASA device has been upgraded and downgraded in this manner, please ensure that the RSA keys are valid.

FTD Software

Cisco FTD Software Release	First Fixed Release
6.7.0 and earlier¹	Not vulnerable
7.0.0	7.0.4
7.1.0	Cisco_FTD_Hotfix_P-7.1.0.2-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_P-7.1.0.2-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_P-7.1.0.2-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_P-7.1.0.2-2.sh.REL.tar Cisco_FTD_SSP_FP3K_Hotfix_Q-7.1.0.3-2.sh.REL.tar
7.2.0	7.2.0.1

1. If a Cisco FTD device was upgraded to a vulnerable release and then downgraded to a non-vulnerable release-for example, upgraded to Release 7.0.0 and then downgraded to Release 6.4.0.15-the RSA keys on the non-vulnerable release could be malformed or susceptible because they were saved on a vulnerable release. If a Cisco FTD device has been upgraded and downgraded in this manner, please ensure that the RSA keys are valid.

For instructions on upgrading a Cisco FTD device, see the Cisco Firepower Management Center Upgrade Guide.

Note: See the Indicators of Compromise section for more information on the detection of RSA keys that may have been compromised when upgrading to a fixed software release.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Recommendations

As the result of this vulnerability, Cisco ASA or FTD device administrators may need to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys. This is because it is possible the RSA private key has been leaked to a malicious actor. For additional assistance, see the following technical documentation:

Cisco ASA Software
- Cisco ASA Series General Operations CLI Configuration Guide - Digital Certificates
- Configure ASA: SSL Digital Certificate Installation and Renewal
Cisco FTD Software
Customers are advised to contact the Cisco TAC or their contracted maintenance providers if further assistance is needed.

Exploitation and Public Announcements

The Cisco PSIRT is aware of a public announcement of the vulnerability that is described in this advisory.

The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.

Source

Cisco would like to thank Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting this vulnerability.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Related to This Advisory

URL

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz

Revision History

Version Description Section Status Date

1.0 Initial public release. - Final 2022-AUG-10

Show Less

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

Feedback

Leave additional feedback