Threat Response - Critical Vulnerabilities in Cisco ASA and Cisco Firepower Threat Defense - CVE-2024-20353 & CVE-2024-20359

Dear Reader,

On Wednesday 24 April 2024, Cisco warned of two critical vulnerabilities (CVE-2024-20353 [1] & CVE-2024-20359 [2]) affecting Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). The vulnerabilities allow a remote, authenticated actor remote code execution on the Cisco ASA & FTD. The vulnerability is actively being misused since November of 2023 by a nation state threat actor to target (suppliers of) government organisations [3].

We recommend to investigate if the vulnerable version of a Cisco ASA or FTD is in use within your environment and to take immediate action by updating the device to the latest software version.

Description

The vulnerabilities tracked as CVE-2024-20353 & CVE-2024-20359 in the management and VPN web servers for Cisco ASA & FTD software could allow an authenticated, remote attacker to remotely run commands on a vulnerable device, including the ability to spy on network traffic and steal data.

Impact

We determine the impact of this vulnerability to be HIGH. The vulnerabilities permit remote, authenticated attackers to run remote commands on vulnerable systems, which can then be used to gain control of the system. This in turn could lead to severe consequences such as sensitive data exfiltration.

Risk

We determine the risk of this vulnerability to be HIGH due to the widespread use of Cisco ASA & FTD and the susceptibility for mass exploitation of the vulnerability now that it is publicly know. The primary risks associated with these vulnerabilities are related to privilege escalation, unauthorised access to your environment, and sensitive data exfiltration. The remote code execution vulnerability requires the attacker to have access to the device, which somewhat dampens the risk. However, at the time of writing, Cisco was not yet aware of how attackers obtained access to the vulnerable devices in the first place, so at this time treating the vulnerability as unauthenticated is wise. Furthermore, Cisco indicates that because the backdoor persists across reboots, the risk level is raised.

At the time of writing, active exploitation of CVE-2024-20353 & CVE-2024-20359 has been observed by Cisco since the November 2023 [3].

Mitigation

Cisco has released free software updates that address the vulnerabilities [4]. There are no other known workarounds that address the vulnerabilities.

What should you do?

We recommend to update to the Cisco ASA & FTD as soon as possible to these new versions. [4] Additionally, Northwave strongly recommends to run these checks for customers with an elevated risk profile for nation state threat actors. Cisco has outlined two methods to identify whether a device was compromised [3]. If you have any indication that your device was compromised, please reach out to our Incident Response Team at 00800 1744 0000

What will Northwave do?

For customers with Managed Detection & Response (MDR) including NIDS, Northwave will contact the customers with connections to the IoC's shared by Cisco [3].

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: soc@northwave.nl 

Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Sources

[1]: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2

[2]: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

[3]: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

[4]: https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu

Disclaimer applies, see below.