7.5

CVE-2022-20866

A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key. This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key. The following conditions may be observed on an affected device: This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key. The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise section for more information on the detection of this type of RSA key. The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.

Data is provided by the National Vulnerability Database (NVD)
CiscoAdaptive Security Appliance Software Version >= 9.16.0 < 9.16.3.19
   CiscoAsa 5506-x Version-
   CiscoAsa 5506h-x Version-
   CiscoAsa 5506w-x Version-
   CiscoAsa 5508-x Version-
   CiscoAsa 5516-x Version-
   CiscoFirepower 1000 Version-
   CiscoFirepower 1010 Version-
   CiscoFirepower 1020 Version-
   CiscoFirepower 1030 Version-
   CiscoFirepower 1040 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2100 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
   CiscoFirepower 4100 Version-
   CiscoFirepower 4110 Version-
   CiscoFirepower 4112 Version-
   CiscoFirepower 4115 Version-
   CiscoFirepower 4120 Version-
   CiscoFirepower 4125 Version-
   CiscoFirepower 4140 Version-
   CiscoFirepower 4145 Version-
   CiscoFirepower 4150 Version-
   CiscoFirepower 9300 Version-
   CiscoSecure Firewall 3110 Version-
   CiscoSecure Firewall 3120 Version-
   CiscoSecure Firewall 3130 Version-
   CiscoSecure Firewall 3140 Version-
CiscoAdaptive Security Appliance Software Version >= 9.17.0 < 9.17.1.13
   CiscoAsa 5506-x Version-
   CiscoAsa 5506h-x Version-
   CiscoAsa 5506w-x Version-
   CiscoAsa 5508-x Version-
   CiscoAsa 5516-x Version-
   CiscoFirepower 1000 Version-
   CiscoFirepower 1010 Version-
   CiscoFirepower 1020 Version-
   CiscoFirepower 1030 Version-
   CiscoFirepower 1040 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2100 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
   CiscoFirepower 4100 Version-
   CiscoFirepower 4110 Version-
   CiscoFirepower 4112 Version-
   CiscoFirepower 4115 Version-
   CiscoFirepower 4120 Version-
   CiscoFirepower 4125 Version-
   CiscoFirepower 4140 Version-
   CiscoFirepower 4145 Version-
   CiscoFirepower 4150 Version-
   CiscoFirepower 9300 Version-
   CiscoSecure Firewall 3110 Version-
   CiscoSecure Firewall 3120 Version-
   CiscoSecure Firewall 3130 Version-
   CiscoSecure Firewall 3140 Version-
CiscoAdaptive Security Appliance Software Version >= 9.18.0 < 9.18.2
   CiscoAsa 5506-x Version-
   CiscoAsa 5506h-x Version-
   CiscoAsa 5506w-x Version-
   CiscoAsa 5508-x Version-
   CiscoAsa 5516-x Version-
   CiscoFirepower 1000 Version-
   CiscoFirepower 1010 Version-
   CiscoFirepower 1020 Version-
   CiscoFirepower 1030 Version-
   CiscoFirepower 1040 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2100 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
   CiscoFirepower 4100 Version-
   CiscoFirepower 4110 Version-
   CiscoFirepower 4112 Version-
   CiscoFirepower 4115 Version-
   CiscoFirepower 4120 Version-
   CiscoFirepower 4125 Version-
   CiscoFirepower 4140 Version-
   CiscoFirepower 4145 Version-
   CiscoFirepower 4150 Version-
   CiscoFirepower 9300 Version-
   CiscoSecure Firewall 3110 Version-
   CiscoSecure Firewall 3120 Version-
   CiscoSecure Firewall 3130 Version-
   CiscoSecure Firewall 3140 Version-
CiscoFirepower Threat Defense Version >= 7.0.0 < 7.0.4
   CiscoAsa 5506-x Version-
   CiscoAsa 5506h-x Version-
   CiscoAsa 5506w-x Version-
   CiscoAsa 5508-x Version-
   CiscoAsa 5516-x Version-
   CiscoFirepower 1000 Version-
   CiscoFirepower 1010 Version-
   CiscoFirepower 1020 Version-
   CiscoFirepower 1030 Version-
   CiscoFirepower 1040 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2100 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
   CiscoFirepower 4100 Version-
   CiscoFirepower 4110 Version-
   CiscoFirepower 4112 Version-
   CiscoFirepower 4115 Version-
   CiscoFirepower 4120 Version-
   CiscoFirepower 4125 Version-
   CiscoFirepower 4140 Version-
   CiscoFirepower 4145 Version-
   CiscoFirepower 4150 Version-
   CiscoFirepower 9300 Version-
   CiscoSecure Firewall 3110 Version-
   CiscoSecure Firewall 3120 Version-
   CiscoSecure Firewall 3130 Version-
   CiscoSecure Firewall 3140 Version-
CiscoFirepower Threat Defense Version >= 7.1.0 < 7.2.0.1
   CiscoAsa 5506-x Version-
   CiscoAsa 5506h-x Version-
   CiscoAsa 5506w-x Version-
   CiscoAsa 5508-x Version-
   CiscoAsa 5516-x Version-
   CiscoFirepower 1000 Version-
   CiscoFirepower 1010 Version-
   CiscoFirepower 1020 Version-
   CiscoFirepower 1030 Version-
   CiscoFirepower 1040 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2100 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
   CiscoFirepower 4100 Version-
   CiscoFirepower 4110 Version-
   CiscoFirepower 4112 Version-
   CiscoFirepower 4115 Version-
   CiscoFirepower 4120 Version-
   CiscoFirepower 4125 Version-
   CiscoFirepower 4140 Version-
   CiscoFirepower 4145 Version-
   CiscoFirepower 4150 Version-
   CiscoFirepower 9300 Version-
   CiscoSecure Firewall 3110 Version-
   CiscoSecure Firewall 3120 Version-
   CiscoSecure Firewall 3130 Version-
   CiscoSecure Firewall 3140 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 14.41% 0.942
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
psirt@cisco.com 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.