This content was originally published by Skybox Security and has been preserved here on tufin.com for posterity.
Two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, were found targeting Cisco ASA and FTD. Learn how you can defend against these vulnerabilities.
Earlier this year, it was suspected that state-sponsored threat actors were targeting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). On April 24th, 2024, after months of research that involved several public and private sector organizations, Cisco published the vulnerabilities and their patches. This espionage-focused campaign, dubbed “ArcaneDoor” by Cisco Talos (the company’s intelligence arm), focused on two vulnerabilities: CVE-2024-20353 and CVE-2024-20359. Another vulnerability, CVE-2024-20358, was discovered during the research but wasn’t exploited in the wild.
The vulnerabilities: CVE-2024-20353 and CVE-2024-20359
While neither of the two vulnerabilities are considered Critical severity, due to the depth and breadth of Cisco’s reach, they are very likely to affect many organizations. The most severe of the two, CVE-2024-20353, has a CVSS v3 risk score of 8.6, which is of High severity.
CVE-2024-20353 is a denial-of-service (DoS) vulnerability that stems from an incomplete error checking when parsing an HTTP header. A remote attacker could exploit the issue by sending a crafted HTTP request to the affected device. Not all configurations of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) are vulnerable, and customers are advised to check their devices’ configurations according to the instructions provided in Cisco advisory ID: cisco-sa-asaftd-websrvs-dos-X8gNucD2.
CVE-2024-20359 is a code execution vulnerability that stems from improper validation of a file when it is read from system flash memory. A local attacker could exploit the issue by copying a crafted file to the disk0: file system of an affected device. While only given a CVSS v3 score of 6.0 (Medium severity), Cisco has pointed out that the injected code could persist across device reboots and raised the Security Impact Rating (SIR) of this advisory from Medium to High.
Both vulnerabilities were added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog the day they were published.
The attacks
None of the organizations involved in the research could associate the threat actors with a known APT group, nor could they identify their sponsoring countries. However, technical details of the attacks indicated that the attackers used two custom pieces of malware:
Line Dancer – according to Talos, this malware implementation was used to:
- Disable syslog.
- Run and exfiltrate the command show configuration.
- Create and exfiltrate packet captures.
- Execute CLI commands present in shellcode.
- Hook the crash dump process to minimize traces of compromise.
- Hook the AAA (Authentication, Authorization and Accounting) function to allow attackers remote access to the compromised device via a VPN tunnel that bypasses the configured AAA mechanisms.
Line Runner – this malware is a backdoor that was used to maintain persistence on the compromised device.
Current solutions
Cisco has published fixed versions of Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Further details can be found in Cisco PSIRT advisories for CVE-2024-20353 and CVE-2024-20359. The company also suggested additional steps to protect against these vulnerabilities.
The Talos team also provides forensic methods to check if a device was compromised, and additional recommendations for identifying the existence of Line Dancer and/or Line Runner on ASA and FTD devices.
