Cisco Systems released an updated advisory regarding a zero-day vulnerability CVE-2021-1585 in its Adaptive Security Device Manager (ADSM) Launcher that results in arbitrary remote code execution (RCE) on user operating systems. There is currently no work-around or patch released for versions 9.16.1 and earlier. The ADSM is essentially a web-based GUI for the management of Cisco Adaptive Security Appliance (ASA) firewalls and Cisco AnyConnect Secure Mobility Client. Due to lack of proper signature verification between the ADSM implementation and the Launcher, a man in the middle (MITM) attack can be executed to inject arbitrary code, leading to arbitrary remote code execution with the privileges on a user operating system assigned to the ASDM Launcher.
A proof-of-concept exploit for this vulnerability has been published by researcher Malcolm Lashley, who responsibly disclosed the vulnerability to Cisco in December 2020. As it likely unfeasible to disable web-based GUI for firewall administration in enterprise networks, it is recommended that organizations add CA signed certificates to ASDM, which will fix the issue. If this is immediately unfeasible, requests that involve the use of the ASDM Launcher should be verified to ensure these are not social engineering attacks that lead to the execution of the relevant MITM attack. While Cisco has not yet reported the use of this exploit in the wild, with the code available it will likely be a matter of time before this is employed in lateral movement attempts. A layered defense in depth strategy that includes MDR solutions and proactive threat hunting, for example the services offered by Binary Defense, is always recommended in order to catch and limit network intrusions.