Nation-State Campaign against CVE-2024-20353 Cisco’s Adaptive Security ASA Appliance and Firepower Threat Defense Vulnerabilities #2

Explore critical insights on CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 affecting Cisco ASA and FTD software. Learn about the implications, Cisco's response, and effective vulnerability management/ UVM/ASPM strategies to safeguard your network. Stay updated on the latest patches and security measures."
cisco, asa, CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359, uvm, cybersecurity, vulnerability, ASPM

Cisco has recently disclosed a series of vulnerabilities targeted by nation-state actors; discover how to protect yourself by leveraging ASPM and Unified Vulnerabilities management technologies to identify and resolve CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359. CISCO TALOS, has recently been at the centre of attention due to the discovery of critical vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. These vulnerabilities catalogued as CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359, have been exploited in a state-sponsored malware campaign known as ArcaneDoor, shedding light on the importance of robust vulnerability management practices. This article delves into these vulnerabilities, their implications, and the proactive steps organizations can take to safeguard their networks.

Vulnerable Products affected by CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359

  • Affected Products: The vulnerability impacts products running specific releases of Cisco ASA Software or FTD Software, with no particular configuration required to be at risk.
  • Non-Affected Products: Cisco Firepower Management Center (FMC) Software is confirmed not to be vulnerable.

Workarounds

  • No Available Workarounds: There are no workarounds that effectively address this specific vulnerability.

Fixed Software

  • Software Updates: Cisco has released free software updates that resolve the vulnerability detailed in the advisory.
  • Update Channels: Customers with valid service contracts should obtain these updates through their standard update mechanisms.
  • Licensing Compliance: It’s essential for customers to install only those software versions and feature sets for which they hold a license. The installation and use of Cisco software are governed by the terms of the Cisco software license.
  • Access to Updates: Updates can be accessed by customers via the Cisco Support and Downloads page, provided they have a valid license, either purchased directly from Cisco or through an authorized reseller or partner.
  • No Entitlement Changes: Free security software updates do not grant new software licenses, additional features, or major revision upgrades.

Unpacking the Vulnerabilities

CVE-2024-20353: The Denial of Service Threat

CVE-2024-20353 presents a significant risk as a Web Services Denial-of-Service (DoS) vulnerability within Cisco’s ASA and FTD software. Attackers exploiting this vulnerability can cause the affected service to reload unexpectedly or cease processing traffic, leading to denial of service.

Exploitation and Impact: An exploit for CVE-2024-20353 would typically involve sending crafted packets to vulnerable devices, disrupting operations and potentially allowing attackers to stage further intrusions.

Cisco’s Response and Patches: Cisco has acknowledged the vulnerability and released software updates that address these risks. It is crucial for users to apply these patches to mitigate the potential for exploitation.

CVE-2024-20359: Local Code Execution Flaw

CVE-2024-20359 allows a local attacker to execute arbitrary code with root-level privileges on affected systems. However, it requires administrative privileges to exploit, limiting the range of potential attackers to those who already have significant access to the vulnerable system.

Exploitation and Code Execution: This vulnerability underscores the necessity for stringent access controls and monitoring of privileged accounts within an organization’s network.

CVE-2024-20358: Command Injection Vulnerability

This flaw was identified during routine security testing, illustrating the importance of continuous security assessments in identifying potential threats. CVE-2024-20358 allows for command injection attacks, which could enable an attacker to execute unauthorized commands on the affected device.

cisco, asa, CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359, exploitation, talos timeline

The ArcaneDoor Campaign

The ArcaneDoor campaign highlights the strategic targeting of perimeter network devices by state-sponsored actors. By exploiting the aforementioned vulnerabilities, attackers have deployed malware, such as the custom-built implants “Line Runner” and “Line Dancer,” to perform reconnaissance, capture network traffic, and potentially move laterally within the network.

Tactical Overview: The campaign’s use of these specific vulnerabilities reveals a highly sophisticated approach to gaining sustained access to targeted networks, emphasizing the need for advanced detection mechanisms and swift incident response capabilities.

Initial Access

  • Unknown Vector: The initial access method for the campaign remains unidentified, with no evidence pointing to pre-authentication exploitation as part of this specific campaign.
  • Ongoing Investigation: Cisco continues to investigate and promises to update the security advisories or blog as new information becomes available.

Technical Details of Line Dancer: In-Memory Implant

  • Memory-Only Operation: Line Dancer operates exclusively in memory, avoiding disk storage to complicate detection.
  • Shellcode Execution: It allows the execution of arbitrary shellcode submitted by attackers through the host-scan-reply field in SSL VPN and IPsec/IKEv2 VPN configurations.
  • Post Authentication Bypass: The implant manipulates the host-scan-reply field to override default code and execute shellcode, bypassing traditional management and authentication processes.

Forensic Recovery and Identification of Line Runner

  • Update and Inspection: Post-update to a patched firmware that addresses CVE-2024-20359, inspect disk0: for unusual files like “client_bundle_install.zip” indicating prior compromise.
  • Command-based Detection: Generate an innocuous .zip file through commands; presence of new .zip files post-reload on disk0: suggests past Line Runner activity. Remove identified .zip files to eliminate the backdoor.

Anti-Forensics/Anti-Analysis Capabilities

  • Complex Evasion Techniques: Line Dancer employs sophisticated evasion tactics like disabling logging and hooking into the crash dump process to prevent forensic analysis.
  • AAA Function Manipulation: Hooks the AAA function to facilitate unauthorized access via a “magic number,” bypassing standard security checks.

Attribution

  • State-Sponsored Actor: The complexity and strategic execution of the backdoors suggest they are the work of a state-sponsored entity, supported by the sophisticated integration of zero-day vulnerabilities and anti-forensic measures.

Recommendations for Detection and Mitigation

  • Traffic Monitoring: Watch for suspicious traffic flows to and from ASA devices related to known malicious IP addresses.
  • Memory Region Checks: Use show memory region | include lina to detect unusual executable memory regions as signs of tampering.
  • Avoid Typical Forensic Methods: If tampering is suspected, avoid collecting core dumps or rebooting the device to prevent triggering anti-forensic mechanisms.
  • Use Snort Signatures: Implement provided Snort signatures to detect associated malicious activities. Ensure capabilities to decrypt TLS are active for these signatures to be effective.
  • Engage Cisco TAC: If connections to malicious IPs are detected and alterations to crash dump functionalities are noted, engage with Cisco’s Technical Assistance Center for specialized support.

Exploitation 2024-20353 

Cisco Talos has identified exploitation of CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 that have been seen by a large-scale exploitation is still absent, this attack is at the initial stage and evolving

EPSS is still low 0.002260000

Nonetheless, the distribution of cisco equipment is quite widespread and the ASA being internet facing are prone to probes

cisco, asa, CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359, distribution, vulnerability

Cisco is constantly under problems from attackers from Shadowserver’s day map of attacks: 

cisco, asa, CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359, uvm, cybersecurity, vulnerability,  shadowserver

Vulnerability Management and Mitigation Strategies

In response to these vulnerabilities, organizations should implement comprehensive vulnerability management strategies that include regular updates, strict access controls, and ongoing monitoring.

Unified Vulnerability Management (UVM)

UVM integrates various aspects of vulnerability management, from detection and assessment to remediation, providing a holistic approach to securing organizational assets against known vulnerabilities.

Adaptive Security Posture Management (ASPM)

ASPM focuses on continuously adapting security measures based on current threat intelligence and organizational risk posture. It helps ensure that security controls are always aligned with the latest threats, including zero-day exploits.

Community Engagement and Resources

GitHub and Reddit Discussions: The cybersecurity community on platforms like GitHub and Reddit has been actively discussing CVE-2024-20353, sharing proof-of-concept (PoC) codes and mitigation experiences. These discussions are invaluable for organizations looking to understand the practical impacts of these vulnerabilities and learn from real-world applications.

Accessing PoC and Other Resources: For security researchers and IT professionals, access to PoC codes on GitHub provides insight into the exploitability of vulnerabilities, aiding in the development of more robust defenses.

Conclusion

The discovery of CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 within Cisco’s ASA and FTD software, and their exploitation by the ArcaneDoor campaign, serve as a stark reminder of the importance of advanced security measures and proactive vulnerability management. Organizations must remain vigilant, updating their security practices regularly and engaging with the cybersecurity community to stay ahead of threats.

How Phoenix Security ASPM and UVM Can Help Identify and schedule a Campaign for CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 CISCO ASA high vulnerability

attack graph phoenix security
ASPM, vulnerability

Phoenix Security helps organizations identify and trace which systems are compromised with vulnerabilities, understanding the relation between code and the cloud. The complexity of this vulnerability derives from the widespread of implementation as well as 3rd party suppliers that might be affected by it. Unified Vulnerability Management and ASPM tools can scan the application portfolio to identify instances of vulnerable Linux and which version is exploitable, mapping out where it is deployed across the organization.

Phoenix campaigns in ASPM and in the Unified Vulnerability Management UVM module allow you to address CVE-2024-20353 in bulk with others.

vulnerability, ASA, CVE-2024-20353 , cisco

Import vulnerabilities or scan your system externally, leveraging the ASPM and UVM external attack surface to pinpoint all instances of the affected ASA. Its deep integration capabilities enable it to interface seamlessly with existing network architecture, providing a comprehensive audit of systems using the GlobalProtect gateway with device telemetry features enabled.

Prioritizing Exposed Systems:

With the inherent capability to assess exposure levels, Phoenix prioritizes remediation efforts based on risk and exposure. More exposed systems—such as those facing the internet or containing sensitive data—are bumped up in the remediation queue, ensuring that the most vulnerable assets are secured first.

Prioritize and Structure Remediation Campaigns addressing CVE-2024-20353 in bulk.

Tracking Remediation:

Phoenix’s real-time ASPM and UVM dashboard offers organizations a bird’s-eye view of the remediation process. It tracks the progress of patch deployments and the status of applied workarounds, ensuring that IT teams are informed at every step. Phoenix’s granular reporting enables organizations to monitor which systems are secured and which still require attention.

Get in control of your Application Security posture and Vulnerability management

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

The team at Phoenix Security pleased to bring you another set of new application security (ASPM) features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Application Security Posture Management – New Weighted Asset Risk Formula – Auto-approval of Risk Exceptions Asset and Vulnerability Management – Relative Time Filter for Vulnerabilities and Assets – Introduce “Ticket References” for Findings – Search Findings by Ticket ID – Asset Pages now have Settings “memory” Integrations – Snyk IaC+ Vulnerabilities – Extended REST API Other Improvements – Vulnerability Timeline as Stacked Lines – Display App/Env for Assigned Assets
Alfonso Eusebio
Discover the current state of the National Vulnerability Database (NVD) and its significant backlog of 16,476 vulnerabilities. Learn how CISA’s Vulnrichment program and Phoenix Security’s ASPM adn UVM advanced solutions are addressing the challenges in VM, application security, and threat intelligence to enhance cybersecurity resilience.
Francesco Cipollone
Phoenix Security, a leader in cybersecurity innovation, is a finalist in the Infosec Most Innovative Cyber SME Competition 2024. Recognized for its cutting-edge threat intelligence and application security solutions, Phoenix will showcase at Infosec 2024, June 4-6, in London. Backed by significant investments and a stellar advisory board, Phoenix continues to drive industry leadership and excellence. Learn more about their journey and groundbreaking solutions.
Francesco Cipollone

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO