Sign-up

ID

VAR-202204-1972


CVE

CVE-2022-20759


TITLE

Cisco Adaptive Security Appliance Software  and  Cisco Firepower Threat Defense Software  Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2022-010453

DESCRIPTION

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15. This vulnerability is due to improper separation of authentication and authorization scopes. An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device. This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM). Note: With Cisco FTD Software, the impact is lower than the CVSS score suggests because the affected web management interface allows for read access only. (DoS) It may be in a state. The platform provides features such as highly secure access to data and network resources. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-mgmt-privesc-BMFMUvye This advisory is part of the April 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication

Trust: 1.8

sources: NVD: CVE-2022-20759 // JVNDB: JVNDB-2022-010453 // VULHUB: VHN-405312 // VULMON: CVE-2022-20759

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.15.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.5.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.16.2.14

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.16.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:7.0.2

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.4.0.15

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.13.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:eqversion:7.1.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.17.1.7

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.17.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.14.4

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.15.1.21

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.6.5.2

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.12.4.38

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.7.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco adaptive security appliancescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco firepower threat defense ソフトウェアscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-010453 // NVD: CVE-2022-20759

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20759
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20759
value: HIGH

Trust: 1.0

NVD: CVE-2022-20759
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202204-4505
value: HIGH

Trust: 0.6

VULHUB: VHN-405312
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-20759
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-405312
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-20759
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2022-20759
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-405312 // JVNDB: JVNDB-2022-010453 // CNNVD: CNNVD-202204-4505 // NVD: CVE-2022-20759 // NVD: CVE-2022-20759

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:CWE-266

Trust: 1.0

problemtype:Improper authority management (CWE-269) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405312 // JVNDB: JVNDB-2022-010453 // NVD: CVE-2022-20759

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-4505

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202204-4505

PATCH

title:cisco-sa-asaftd-mgmt-privesc-BMFMUvyeurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgmt-privesc-BMFMUvye

Trust: 0.8

title:Multiple Cisco Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191571

Trust: 0.6

title:Cisco: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Privilege Escalation Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-asaftd-mgmt-privesc-BMFMUvye

Trust: 0.1

sources: VULMON: CVE-2022-20759 // JVNDB: JVNDB-2022-010453 // CNNVD: CNNVD-202204-4505

EXTERNAL IDS

db:NVDid:CVE-2022-20759

Trust: 3.4

db:JVNDBid:JVNDB-2022-010453

Trust: 0.8

db:AUSCERTid:ESB-2022.1913

Trust: 0.6

db:CS-HELPid:SB2022042739

Trust: 0.6

db:CNNVDid:CNNVD-202204-4505

Trust: 0.6

db:CNVDid:CNVD-2022-44688

Trust: 0.1

db:VULHUBid:VHN-405312

Trust: 0.1

db:VULMONid:CVE-2022-20759

Trust: 0.1

sources: VULHUB: VHN-405312 // VULMON: CVE-2022-20759 // JVNDB: JVNDB-2022-010453 // CNNVD: CNNVD-202204-4505 // NVD: CVE-2022-20759

REFERENCES

url:https://github.com/orangecertcc/security-research/security/advisories/ghsa-gq88-gqmj-7v24

Trust: 2.5

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-mgmt-privesc-bmfmuvye

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-20759

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022042739

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20759/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-asa-privilege-escalation-via-remote-access-vpn-web-interface-38165

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1913

Trust: 0.6

sources: VULHUB: VHN-405312 // VULMON: CVE-2022-20759 // JVNDB: JVNDB-2022-010453 // CNNVD: CNNVD-202204-4505 // NVD: CVE-2022-20759

SOURCES

db:VULHUBid:VHN-405312
db:VULMONid:CVE-2022-20759
db:JVNDBid:JVNDB-2022-010453
db:CNNVDid:CNNVD-202204-4505
db:NVDid:CVE-2022-20759

LAST UPDATE DATE

2024-08-14T13:22:23.132000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405312date:2022-05-13T00:00:00
db:JVNDBid:JVNDB-2022-010453date:2023-08-15T07:45:00
db:CNNVDid:CNNVD-202204-4505date:2022-05-16T00:00:00
db:NVDid:CVE-2022-20759date:2023-11-07T03:42:52.017

SOURCES RELEASE DATE

db:VULHUBid:VHN-405312date:2022-05-03T00:00:00
db:JVNDBid:JVNDB-2022-010453date:2023-08-15T00:00:00
db:CNNVDid:CNNVD-202204-4505date:2022-04-27T00:00:00
db:NVDid:CVE-2022-20759date:2022-05-03T04:15:09.827