CVE-2022-20918 in FirePOWER Software for ASA
Summary
by MITRE • 11/16/2022
A vulnerability in the Simple Network Management Protocol (SNMP) access controls for Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module, Cisco Firepower Management Center (FMC) Software, and Cisco Next-Generation Intrusion Prevention System (NGIPS) Software could allow an unauthenticated, remote attacker to perform an SNMP GET request using a default credential. This vulnerability is due to the presence of a default credential for SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2). An attacker could exploit this vulnerability by sending an SNMPv1 or SNMPv2 GET request to an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the device using the default credential. This attack will only be successful if SNMP is configured, and the attacker can only perform SNMP GET requests; write access using SNMP is not allowed.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/11/2022
The vulnerability identified as CVE-2022-20918 represents a critical access control weakness within Cisco's network security infrastructure, specifically affecting FirePOWER Software components including Adaptive Security Appliance (ASA) FirePOWER modules, Firepower Management Center (FMC) Software, and Next-Generation Intrusion Prevention System (NGIPS) Software. This flaw stems from the persistent use of default credentials within the Simple Network Management Protocol implementation, creating an exploitable pathway for unauthenticated remote attackers to gain unauthorized access to sensitive network device information. The vulnerability specifically impacts SNMP versions 1 and 2, which are legacy protocols that lack modern security features such as encryption and strong authentication mechanisms.
The technical exploitation of this vulnerability occurs through the manipulation of SNMP GET requests, which are designed to retrieve information from network devices. Attackers can leverage default SNMP credentials to execute GET operations against affected Cisco devices, enabling them to extract configuration data, system information, interface statistics, and other sensitive operational details. This represents a direct violation of the principle of least privilege, as the default credential mechanism bypasses normal authentication procedures that should prevent unauthorized access to network management functions. The flaw is classified under CWE-798 as the use of hard-coded credentials, and it aligns with ATT&CK technique T1082 for system information discovery, where adversaries enumerate network device configurations and operational parameters.
The operational impact of this vulnerability extends beyond simple information disclosure, as the retrieved data could provide attackers with critical insights into network topology, device configurations, and security policies that could be leveraged for subsequent attacks. Network administrators who have configured SNMP without proper credential management or access controls face significant risk, as the default credentials remain unchanged and accessible to any attacker who can reach the device's SNMP port. The limitation that only GET requests can be performed prevents attackers from making configuration changes or executing commands, but the information disclosure aspect still poses substantial risk to network security posture. This vulnerability particularly affects organizations that have not properly secured their SNMP configurations or that have not updated their devices to remove default credentials.
Mitigation strategies for CVE-2022-20918 require immediate action to address the default credential exposure within SNMP implementations. Organizations should disable SNMPv1 and SNMPv2 protocols entirely if possible, as these versions are inherently insecure and should be replaced with SNMPv3 which provides authentication and encryption capabilities. Where SNMP must remain enabled, administrators should implement strong, unique credentials for each device and ensure that SNMP access is restricted to authorized management networks. Network segmentation should be implemented to limit access to SNMP ports, and regular security audits should verify that default credentials have been removed from all network devices. The vulnerability demonstrates the critical importance of proper credential management and the necessity of following security best practices such as those outlined in NIST SP 800-53 and ISO 27001 standards for network security controls. Additionally, organizations should implement continuous monitoring for unauthorized SNMP access attempts and establish procedures for regular credential rotation and security configuration reviews to prevent similar vulnerabilities from emerging in the future.