Earlier this year, it was suspected that state-sponsored threat actors were targeting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). On April 24th, 2024, after months of research that involved several public and private sector organizations, Cisco published the vulnerabilities and their patches. This espionage-focused campaign, dubbed “ArcaneDoor” by Cisco Talos (the company’s intelligence arm), focused on two vulnerabilities: CVE-2024-20353 and CVE-2024-20359. Another vulnerability, CVE-2024-20358, was discovered during the research but wasn’t exploited in the wild.
The vulnerabilities: CVE-2024-20353 and CVE-2024-20359
While neither of the two vulnerabilities are considered Critical severity, due to the depth and breadth of Cisco’s reach, they are very likely to affect many organizations. The most severe of the two, CVE-2024-20353, has a CVSS v3 risk score of 8.6, which is of High severity.
CVE-2024-20353 is a denial-of-service (DoS) vulnerability that stems from an incomplete error checking when parsing an HTTP header. A remote attacker could exploit the issue by sending a crafted HTTP request to the affected device. Not all configurations of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) are vulnerable, and customers are advised to check their devices’ configurations according to the instructions provided in Cisco advisory ID:
cisco-sa-asaftd-websrvs-dos-X8gNucD2.
CVE-2024-20359 is a code execution vulnerability that stems from improper validation of a file when it is read from system flash memory. A local attacker could exploit the issue by copying a crafted file to the disk0: file system of an affected device. While only given a CVSS v3 score of 6.0 (Medium severity), Cisco has pointed out that the injected code could persist across device reboots and raised the Security Impact Rating (SIR) of this advisory from Medium to High.
Both vulnerabilities were added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog the day they were published.
The attacks
None of the organizations involved in the research could associate the threat actors with a known APT group, nor could they identify their sponsoring countries. However, technical details of the attacks indicated that the attackers used two custom pieces of malware:
Line Dancer – according to Talos, this malware implementation was used to:
- Disable syslog.
- Run and exfiltrate the command show configuration.
- Create and exfiltrate packet captures.
- Execute CLI commands present in shellcode.
- Hook the crash dump process to minimize traces of compromise.
- Hook the AAA (Authentication, Authorization and Accounting) function to allow attackers remote access to the compromised device via a VPN tunnel that bypasses the configured AAA mechanisms.
Line Runner – this malware is a backdoor that was used to maintain persistence on the compromised device.
Current solutions
Cisco has published fixed versions of Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Further details can be found in Cisco PSIRT advisories for CVE-2024-20353 and CVE-2024-20359. The company also suggested additional steps to protect against these vulnerabilities.
The Talos team also provides forensic methods to check if a device was compromised, and additional recommendations for identifying the existence of Line Dancer and/or Line Runner on ASA and FTD devices.
How can Skybox Help?
The Skybox Research Lab added the vulnerabilities to the Skybox Threat Intelligence Service the day they were made public. All the information referenced in the Talos blog post is available to Skybox’s customers via this feed.
Skybox customers with Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) in their organization’s network can detect the vulnerability with the Skybox Vulnerability and Threat Management solution’s vulnerability discovery capabilities; customers will be informed of how many vulnerability occurrences exist across their organization and the exposure level of each asset to the relevant attack vector. Skybox also recommends compensating security controls, such as configuration changes or network segmentation, to mitigate exposure risk on the customer’s network if patching is not imminent.
Based on the importance of Cisco ASA and FTD in the organizational network and other factors, including the general CVSS score for CVE-2024-20353 and CVE-2024-20359, the organization’s security team will receive a customized risk score and a prioritization of their most critical threats, to help make an informed decision about the best way to protect their organization.
Skybox’s threat intelligence team will continue to closely monitor any developments related to the ArcaneDoor campaign and update the threat intelligence feed with any information that could be valuable for the customers’ risk management decision-making processes.
Learn how Skybox proactively protects you from vulnerabilities like the one affecting Cisco ASA and FTD.
