Cisco has recently disclosed a series of vulnerabilities targeted by nation-state actors; discover how to protect yourself by leveraging ASPM and Unified Vulnerabilities management technologies to identify and resolve CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359. CISCO TALOS, has recently been at the centre of attention due to the discovery of critical vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. These vulnerabilities catalogued as CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359, have been exploited in a state-sponsored malware campaign known as ArcaneDoor, shedding light on the importance of robust vulnerability management practices. This article delves into these vulnerabilities, their implications, and the proactive steps organizations can take to safeguard their networks.
Vulnerable Products affected by CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359
- Affected Products: The vulnerability impacts products running specific releases of Cisco ASA Software or FTD Software, with no particular configuration required to be at risk.
- Non-Affected Products: Cisco Firepower Management Center (FMC) Software is confirmed not to be vulnerable.
Workarounds
- No Available Workarounds: There are no workarounds that effectively address this specific vulnerability.
Fixed Software
- Software Updates: Cisco has released free software updates that resolve the vulnerability detailed in the advisory.
- Update Channels: Customers with valid service contracts should obtain these updates through their standard update mechanisms.
- Licensing Compliance: It’s essential for customers to install only those software versions and feature sets for which they hold a license. The installation and use of Cisco software are governed by the terms of the Cisco software license.
- Access to Updates: Updates can be accessed by customers via the Cisco Support and Downloads page, provided they have a valid license, either purchased directly from Cisco or through an authorized reseller or partner.
- No Entitlement Changes: Free security software updates do not grant new software licenses, additional features, or major revision upgrades.
Unpacking the Vulnerabilities
CVE-2024-20353: The Denial of Service Threat
CVE-2024-20353 presents a significant risk as a Web Services Denial-of-Service (DoS) vulnerability within Cisco’s ASA and FTD software. Attackers exploiting this vulnerability can cause the affected service to reload unexpectedly or cease processing traffic, leading to denial of service.
Exploitation and Impact: An exploit for CVE-2024-20353 would typically involve sending crafted packets to vulnerable devices, disrupting operations and potentially allowing attackers to stage further intrusions.
Cisco’s Response and Patches: Cisco has acknowledged the vulnerability and released software updates that address these risks. It is crucial for users to apply these patches to mitigate the potential for exploitation.
CVE-2024-20359: Local Code Execution Flaw
CVE-2024-20359 allows a local attacker to execute arbitrary code with root-level privileges on affected systems. However, it requires administrative privileges to exploit, limiting the range of potential attackers to those who already have significant access to the vulnerable system.
Exploitation and Code Execution: This vulnerability underscores the necessity for stringent access controls and monitoring of privileged accounts within an organization’s network.
CVE-2024-20358: Command Injection Vulnerability
This flaw was identified during routine security testing, illustrating the importance of continuous security assessments in identifying potential threats. CVE-2024-20358 allows for command injection attacks, which could enable an attacker to execute unauthorized commands on the affected device.
The ArcaneDoor Campaign
The ArcaneDoor campaign highlights the strategic targeting of perimeter network devices by state-sponsored actors. By exploiting the aforementioned vulnerabilities, attackers have deployed malware, such as the custom-built implants “Line Runner” and “Line Dancer,” to perform reconnaissance, capture network traffic, and potentially move laterally within the network.
Tactical Overview: The campaign’s use of these specific vulnerabilities reveals a highly sophisticated approach to gaining sustained access to targeted networks, emphasizing the need for advanced detection mechanisms and swift incident response capabilities.
Initial Access
- Unknown Vector: The initial access method for the campaign remains unidentified, with no evidence pointing to pre-authentication exploitation as part of this specific campaign.
- Ongoing Investigation: Cisco continues to investigate and promises to update the security advisories or blog as new information becomes available.
Technical Details of Line Dancer: In-Memory Implant
- Memory-Only Operation: Line Dancer operates exclusively in memory, avoiding disk storage to complicate detection.
- Shellcode Execution: It allows the execution of arbitrary shellcode submitted by attackers through the host-scan-reply field in SSL VPN and IPsec/IKEv2 VPN configurations.
- Post Authentication Bypass: The implant manipulates the host-scan-reply field to override default code and execute shellcode, bypassing traditional management and authentication processes.
Forensic Recovery and Identification of Line Runner
- Update and Inspection: Post-update to a patched firmware that addresses CVE-2024-20359, inspect disk0: for unusual files like “client_bundle_install.zip” indicating prior compromise.
- Command-based Detection: Generate an innocuous .zip file through commands; presence of new .zip files post-reload on disk0: suggests past Line Runner activity. Remove identified .zip files to eliminate the backdoor.
Anti-Forensics/Anti-Analysis Capabilities
- Complex Evasion Techniques: Line Dancer employs sophisticated evasion tactics like disabling logging and hooking into the crash dump process to prevent forensic analysis.
- AAA Function Manipulation: Hooks the AAA function to facilitate unauthorized access via a “magic number,” bypassing standard security checks.
Attribution
- State-Sponsored Actor: The complexity and strategic execution of the backdoors suggest they are the work of a state-sponsored entity, supported by the sophisticated integration of zero-day vulnerabilities and anti-forensic measures.
Recommendations for Detection and Mitigation
- Traffic Monitoring: Watch for suspicious traffic flows to and from ASA devices related to known malicious IP addresses.
- Memory Region Checks: Use show memory region | include lina to detect unusual executable memory regions as signs of tampering.
- Avoid Typical Forensic Methods: If tampering is suspected, avoid collecting core dumps or rebooting the device to prevent triggering anti-forensic mechanisms.
- Use Snort Signatures: Implement provided Snort signatures to detect associated malicious activities. Ensure capabilities to decrypt TLS are active for these signatures to be effective.
- Engage Cisco TAC: If connections to malicious IPs are detected and alterations to crash dump functionalities are noted, engage with Cisco’s Technical Assistance Center for specialized support.
Exploitation 2024-20353
Cisco Talos has identified exploitation of CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 that have been seen by a large-scale exploitation is still absent, this attack is at the initial stage and evolving
EPSS is still low 0.002260000
Nonetheless, the distribution of cisco equipment is quite widespread and the ASA being internet facing are prone to probes
Cisco is constantly under problems from attackers from Shadowserver’s day map of attacks:
Vulnerability Management and Mitigation Strategies
In response to these vulnerabilities, organizations should implement comprehensive vulnerability management strategies that include regular updates, strict access controls, and ongoing monitoring.
Unified Vulnerability Management (UVM)
UVM integrates various aspects of vulnerability management, from detection and assessment to remediation, providing a holistic approach to securing organizational assets against known vulnerabilities.
Adaptive Security Posture Management (ASPM)
ASPM focuses on continuously adapting security measures based on current threat intelligence and organizational risk posture. It helps ensure that security controls are always aligned with the latest threats, including zero-day exploits.
Community Engagement and Resources
GitHub and Reddit Discussions: The cybersecurity community on platforms like GitHub and Reddit has been actively discussing CVE-2024-20353, sharing proof-of-concept (PoC) codes and mitigation experiences. These discussions are invaluable for organizations looking to understand the practical impacts of these vulnerabilities and learn from real-world applications.
Accessing PoC and Other Resources: For security researchers and IT professionals, access to PoC codes on GitHub provides insight into the exploitability of vulnerabilities, aiding in the development of more robust defenses.
Conclusion
The discovery of CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 within Cisco’s ASA and FTD software, and their exploitation by the ArcaneDoor campaign, serve as a stark reminder of the importance of advanced security measures and proactive vulnerability management. Organizations must remain vigilant, updating their security practices regularly and engaging with the cybersecurity community to stay ahead of threats.
How Phoenix Security ASPM and UVM Can Help Identify and schedule a Campaign for CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 CISCO ASA high vulnerability
Phoenix Security helps organizations identify and trace which systems are compromised with vulnerabilities, understanding the relation between code and the cloud. The complexity of this vulnerability derives from the widespread of implementation as well as 3rd party suppliers that might be affected by it. Unified Vulnerability Management and ASPM tools can scan the application portfolio to identify instances of vulnerable Linux and which version is exploitable, mapping out where it is deployed across the organization.
Phoenix campaigns in ASPM and in the Unified Vulnerability Management UVM module allow you to address CVE-2024-20353 in bulk with others.
Import vulnerabilities or scan your system externally, leveraging the ASPM and UVM external attack surface to pinpoint all instances of the affected ASA. Its deep integration capabilities enable it to interface seamlessly with existing network architecture, providing a comprehensive audit of systems using the GlobalProtect gateway with device telemetry features enabled.
Prioritizing Exposed Systems:
With the inherent capability to assess exposure levels, Phoenix prioritizes remediation efforts based on risk and exposure. More exposed systems—such as those facing the internet or containing sensitive data—are bumped up in the remediation queue, ensuring that the most vulnerable assets are secured first.
Prioritize and Structure Remediation Campaigns addressing CVE-2024-20353 in bulk.
Tracking Remediation:
Phoenix’s real-time ASPM and UVM dashboard offers organizations a bird’s-eye view of the remediation process. It tracks the progress of patch deployments and the status of applied workarounds, ensuring that IT teams are informed at every step. Phoenix’s granular reporting enables organizations to monitor which systems are secured and which still require attention.
