Triskele Labs Blog

Vulnerabilities Identified in Cisco Adaptive Security Appliance and Firepower Threat Defense Software

Written by Adam Skupien, Vulnerability Security Analyst | Apr 30, 2024 3:33:55 AM

Published: 30 April 2024

Prepared by: Adam Skupien, Vulnerability Security Analyst

 

PURPOSE 

The purpose of this alert is to bring attention to two HIGH and one MEDIUM, publicly released vulnerabilities identified as CVE-2024-20353, CVE-2024-20359 and CVE-2024-20358, present in the Cisco Adaptive Security Appliance and Firepower Threat Defense Software. Exploitation of CVE-2024-20353 may result in an unauthenticated remote attacker being able to cause the device to reload unexpectedly resulting in Denial Of Service (DOS). Exploitation of either CVE-2024-20359 or CVE-2024-20358 could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) with root-level privileges. 

On 26 April 2024, the Australian Cyber Security Centre (ACSC) released an advisory addressing these vulnerabilities and encouraging organisations to remediate these vulnerabilities as a priority.  

Cisco has also advised they are aware of an active espionage-related campaign named ArcaneDoor where these vulnerabilities have been exploited and recommends immediate remediation.

CVE-2024-20353 and CVE-2024-20359 have been added to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue.  

 

DETAILS 

On 24 April 2024, Cisco issued notifications for the following vulnerabilities: 

CVE-2024-20353 Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability. Threat Actors have begun exploiting this vulnerability in the wild. The vulnerability affects Cisco ASA and FTD Software with enabled SSL listen sockets. The following command can be used to look for an SSL listen socket on any TCP port: 

show asp table socket | include SSL 

If a socket is present in the output, the device should be considered vulnerable. The vulnerability has been mapped to CWE-835 by MITRE, a Loop with Unreachable Exit Condition (Infinite Loop). Cisco has released a software update to address this vulnerability. 

CVE-2024-20359 Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability. Threat Actors have begun exploiting this vulnerability in the wild. The vulnerability affects Cisco ASA and FTD Software, no specific configuration is required. The vulnerability has been mapped to CWE-94 by MITRE, Improper Control of Generation Code (Code Injection). Cisco has released a software update to address this vulnerability. 

CVE-2024-20358 Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability. The Cisco Product Security Incident Response Team (PSIRT) is not currently aware of active exploits of this vulnerability. The vulnerability affects Cisco ASA and FTD Software. No specific configuration is required for Cisco ASA. Cisco FTD Software is affected only when lockdown mode has been enabled to restrict Linux shell access. The vulnerability has been mapped to CWE-78 by MITRE, Improper Neutralization of Special Elements used in an OS Command (OS Command Injection). Cisco has released a software update to address this vulnerability.  

 

MITIGATION ACTIONS 

Cisco have released software updates to address all listed vulnerabilities. Triskele Labs recommends that these updates should be applied as a priority to the organisation. If patching of these devices is not possible or unsupported, the ASCS recommends discontinuing the use of them in an organisation. 

 

DETECTION 

Managed Detection and Response (MDR) platforms can monitor an environment for suspicious activity relating to the exploitation of this vulnerability. However, as these assets are appliances, they cannot run the Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) agent, which reduces overall visibility on the platform.  

Please ensure that these devices are sending syslog to a SIEM so that malicious indicators can be identified.  

Cisco can assist customers in verifying the integrity of their Cisco ASA or FTD devices: 

 

  1. Log in to the suspect device CLI. 
  2. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command. 
  3. Use the enable command to change into privileged EXEC mode. 
  4. Note: On devices that are running Cisco FTD Software, the enable password is blank. 
  5. Collect the outputs of the following commands:
  • show version 
  • verify /SHA-512 system:memory/text 
  • debug menu memory 8 
 6. Open a case with the Cisco Technical Assistance Center (TAC). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3. 

 

The National Cyber Security Centre has released malware analysis reports for two malicious shells used to target Cisco ASAs, Line Dancer and Line Runner which provide guidance in discovering and mitigating malicious activity associated with these vulnerabilities.  

Triskele Labs DefenceShield customers with Assess service (Vulnerability Scanning) are currently being scanned. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs).