Cisco Releases Security Updates Addressing ArcaneDoor Campaign, Exploited Vulnerabilities in ASA and FTD

The security advisory addresses three vulnerabilities in Cisco ASA and FTD software that are being actively exploited in the ArcaneDoor campaign

Threat ID:: CC-4483
Threat Severity:: High
Published:: 25 April 2024 11:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The security advisory addresses three vulnerabilities in Cisco ASA and FTD software that are being actively exploited in the ArcaneDoor campaign

Affected platforms

The following platforms are known to be affected:

Cisco Adaptive Security Appliance (ASA) Software

In some instances, ASA appliances must have certain features configured to be considered vulnerable. Please refer to the relevant Cisco Security Advisory for full details (linked in the "Definitive source of threat updates" section of this cyber alert).

Cisco FirePower Threat Defense (FTD)

In some instances, FTD appliances must have certain features configured to be considered vulnerable. Please refer to the relevant Cisco Security Advisory for full details (linked in the "Definitive source of threat updates" section of this cyber alert).

Threat details

Exploitation of CVE-2024-20353 and CVE-2024-20359

Cisco are aware that CVE-2024-20353 and CVE-2024-20359 are known to be exploited by a nation-state actor in an active, sophisticated campaign named "ArcaneDoor".

Introduction

Cisco have released multiple security advisories for three vulnerabilities, including two being exploited as zero-days in an active campaign tracked as "ArcaneDoor". The vulnerabilities affect Cisco Adaptive Security Appliance (ASA) and FirePower Threat Defense (FTD) software. Cisco ASA and FTD are security appliances that provide intrusion prevention system (IPS), Virtual private network (VPN) and firewall capabilities.

Vulnerability details

CVE-2024-20353 - Web Services Denial of Service Vulnerability - CWE-835
- CVE-2024-20353 is an infinite loop vulnerability with a CVSSv3 score of 8.6, which if exploited could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.
CVE-2024-20359 - Persistent Local Code Execution Vulnerability - CWE-94
- CVE-2024-20359 is a code injection vulnerability with a CVSSv3 score of 6.0, which if exploited could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.
CVE-2024-20358 - Command Injection Vulnerability - CWE-78
- CVE-2024-20358 is an OS command injection vulnerability with a CVSSv3 score of 6.0, which if exploited could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.

Remediation advice

Organisations are required to:

Review the relevant security advisories and apply the security updates as soon as possible.
Follow the steps detailed in the Cisco Event Response: Attacks Against Cisco Firewall Platforms article to verify the integrity of their ASA and FTD appliances. If organisations identify that they are compromised following a response from the Cisco Technical Assistance Center, an incident should be raised with the NHS England National CSOC.

These steps are detailed below.

NOTE: Once the patches are applied and a case has been raised with TAC, organisations can mark this cyber alert as "Complete".

For more information on the "ArcaneDoor" campaign and for additional guidance on determining if an organisation has been compromised, please review the Cisco Talos article.

Remediation steps

Type	Step
Patch	Affected organisations must apply the relevant security updates as soon as possible. These are available via the security advisories at the below link. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
Action	Additionally, affected organisations must follow Cisco's guidance to verify the integrity of their ASA and FTD devices as soon as possible. The following steps can be used to verify the integrity of an organisations Cisco ASA or FTD devices: Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command. Use the enable command to change into privileged EXEC mode. Note: On devices that are running Cisco FTD Software, the enable password is blank. Collect the outputs of the following commands: show version verify /SHA-512 system:memory/text debug menu memory 8 Open a case with the Cisco Technical Assistance Center (TAC). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3. This remediation step can be considered complete once the diagnostic output is sent to the Cisco Technical Assistance Center. If organisations identify that they are compromised following a response from TAC, they are to inform the NHS England National CSOC for further guidance. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
Guidance	For more information on the "ArcaneDoor" campaign and for additional guidance on determining if an organisation has been compromised, please review the Cisco Talos article linked below. This is not required for remediation of this cyber alert. https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Type

Step

Patch

Affected organisations must apply the relevant security updates as soon as possible. These are available via the security advisories at the below link.

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

Action

Additionally, affected organisations must follow Cisco's guidance to verify the integrity of their ASA and FTD devices as soon as possible.

The following steps can be used to verify the integrity of an organisations Cisco ASA or FTD devices:

Log in to the suspect device CLI.
Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
Use the enable command to change into privileged EXEC mode.
Note: On devices that are running Cisco FTD Software, the enable password is blank.
Collect the outputs of the following commands:
- show version
- verify /SHA-512 system:memory/text
- debug menu memory 8
Open a case with the Cisco Technical Assistance Center (TAC). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

This remediation step can be considered complete once the diagnostic output is sent to the Cisco Technical Assistance Center. If organisations identify that they are compromised following a response from TAC, they are to inform the NHS England National CSOC for further guidance.

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

Guidance

For more information on the "ArcaneDoor" campaign and for additional guidance on determining if an organisation has been compromised, please review the Cisco Talos article linked below.

This is not required for remediation of this cyber alert.

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-20353

A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.

Status Published

CVE-2024-20359

A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.

Status Published

CVE-2024-20358

A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability exists because the contents of a backup file are improperly sanitized at restore time. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system as root.

Last edited: 25 April 2024 11:00 am