CVE-2022-20866: 
Cisco Firepower Threat Defense (FTD) vulnerability analysis and mitigation

A vulnerability (CVE-2022-20866) was discovered in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerability, disclosed on August 10, 2022, affects ASA Software releases 9.16.1 and later and FTD Software releases 7.0.0 and later. This high-severity vulnerability (CVSS score: 7.4) is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography (Cisco Advisory, Hacker News).

The vulnerability stems from a logic error in RSA key handling on hardware platforms performing hardware-based cryptography. It can be exploited using a Lenstra side-channel attack against the targeted device. The vulnerability affects approximately 5% of RSA keys on vulnerable devices due to mathematical calculations applied to the RSA key. The affected RSA keys can either be valid but susceptible to private key leakage or malformed and invalid, resulting in TLS signature failures. The vulnerability specifically impacts RSA keys stored in memory or flash, while ECDSA and EdDSA keys are not affected (Cisco Advisory).

If successfully exploited, an unauthenticated, remote attacker could retrieve the RSA private key. With the obtained private key, attackers could impersonate devices running Cisco ASA Software or FTD Software or decrypt device traffic. The vulnerability affects various Cisco products including ASA 5506-X, Firepower 1000 Series, 2100 Series, 4100 Series, 9300 Series Security Appliances, and Secure Firewall 3100 (Bleeping Computer, Cisco Advisory).

Cisco has released software updates that address this vulnerability. Fixed versions include ASA Software releases 9.16.3.19, 9.17.1.13, and 9.18.2, and FTD Software releases 7.0.4, 7.1.0.2-2, and 7.2.0.1. There are no workarounds available. Administrators should replace affected RSA keys and revoke any associated certificates. Cisco provides an off-box detection script to identify malformed or susceptible RSA keys (Cisco Advisory).

The vulnerability was discovered and reported by researchers Nadia Heninger and George Sullivan from the University of California San Diego, along with Jackson Sippe and Eric Wustrow from the University of Colorado Boulder. The security community has classified this as a high-severity vulnerability requiring immediate attention (Hacker News).