Do Not Trust the ASA, Trojans!

The presentation discusses various vulnerabilities and exploits in Cisco's Adaptive Security Appliance (ASA) and Firepower module, including man-in-the-middle attacks, credential leaks, code signing issues, and hard-coded credentials. The speaker demonstrates how an attacker can gain root access and persistence on the network through these vulnerabilities.

• The speaker demonstrates how to exploit a man-in-the-middle vulnerability in the ASA's Adaptive Security Device Manager (ASDM) to steal credentials and gain access to the network.
• The speaker shows how to use hard-coded credentials to gain root access to the Firepower module's boot image and install malicious code.
• The speaker also discusses how to modify the Firepower install packages to install malicious code and trick victims into installing them.
• Mitigations include disabling the ASDM feature, rotating passwords, and retiring/replacing the Firepower module.
• The presentation emphasizes the importance of applying mitigating controls when patching is not an option.

The speaker demonstrates how they were able to use hard-coded credentials to gain root access to the Firepower module's boot image and install a malicious init script that would connect to an attacker's IP address every five minutes, even surviving reboots and upgrades. This allowed the attacker to gain persistence and access to the protected network and traffic flowing through the VM.

Cisco ASA and ASA-X are widely deployed firewalls that are relied upon to protect internal networks from the dangers of the outside world. This key piece of network infrastructure is an obvious point of attack, and a known target for exploitation and implantation by APT such as the Equation Group. Yet it's been a number of years since a new vulnerability has been published that can provide privileged access to the ASA or the protected internal network. But all good things must come to an end.In this talk, new vulnerabilities affecting the Cisco ASA will be presented. We'll exploit the firewall, the system's administrators, and the ASA-X FirePOWER module. The result of which should call into question the firewall's trustworthiness.The talk will focus on the practical exploitation of the ASA using these new vulnerabilities. To that end, new tooling and Metasploit modules will be presented. For IT protectors, mitigation and potential indicators of compromise will also be explored.