CVE-2022-20759
Published: 03 May 2022
Summary
CVE-2022-20759 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software stems from improper separation of authentication and authorization scopes. An authenticated but unprivileged remote attacker can send crafted HTTPS messages to the interface and obtain privilege level 15 access on the web management interface, including through tools such as Cisco Adaptive Security Device Manager (ASDM) or Cisco Security Manager (CSM). The CVSS 3.1 base score is 8.8, with the impact on FTD limited to read-only access despite the score.
An attacker who already possesses valid low-privilege credentials on an affected device can exploit the flaw remotely without user interaction to escalate to full administrative control of the management plane. Successful exploitation grants the ability to view or modify device configuration and policies through the web interface.
The Cisco Security Advisory cisco-sa-asaftd-mgmt-privesc-BMFMUvye and the associated GitHub security advisory detail the issue and list fixed software releases. The EPSS score has remained flat at 0.1339 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26009
Vulnerability details
A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15.…
more
This vulnerability is due to improper separation of authentication and authorization scopes. An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device. This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM). Note: With Cisco FTD Software, the impact is lower than the CVSS score suggests because the affected web management interface allows for read access only.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Implements core proper privilege management by restricting to only required rights.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.