About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Executive Summary
On April 24, 2024, Cisco published details related to multiple vulnerabilities (CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359) affecting users of the Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products. These vulnerabilities can be exploited by both unauthenticated and authenticated users to execute code remotely and establish persistence. There are no workarounds listed for any of the vulnerabilities detailed and patching is recommended as the only form of mitigation for the affected Cisco devices. Cisco identified the aforementioned vulnerabilities while investigating devices that were compromised in customer environments as early as July 2023, though Cisco still claims to not know how the devices were initially exploited. For these reasons, Cisco recommends that their customers maintain the latest patchesand take steps to harden these types of devices which are often accessible publicly due to their placement at the edge of customer networks. If you have concerns or believe that any of the affected Cisco devices have been compromised in your environment, we recommend that you follow the guidance shared by Cisco to verify the integrity of your devices.
VULNERABILITIES
Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
Identifier: CVE-2024-20353 – CVSS Score 8.6 (HIGH)
Exploit or POC: Yes (Actively Being Exploited)
Update: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
Description: CVE-2024-20353 allows for denial of services. This vulnerability could allow an adversary to send crafted HTTP requests to a targeted web server. Authentication and user interaction are not required to successfully exploit this vulnerability. Successful exploitation of this vulnerability could allow an adversary to trigger an unexpected device reload. Subsequently, resulting in denial of service (DoS).
Mitigation recommendation: Customers should upgrade to the fixed software versions as listed in the ‘Update’ description: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability. RedLegg Action: None at this time.
Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
Identifier: CVE-2024-20358 – CVSS Score 6.0 (Medium)
Exploit or POC: No
Update: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability Description: CVE-2024-20358 allows for command injection. Authentication is required to successfully exploit this vulnerability. This vulnerability could allow an adversary to arbitrarily run code on the underlying operating system using root level privileges. This vulnerability can be exploited when a specially crafted backup file is restored on an affected device.
Mitigation recommendation: Customers should upgrade to the fixed software versions as listed in the ‘Update’ description: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability.RedLegg Action: None at this time.
Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
Identifier: CVE-2024-20359 – CVSS Score 6.0 (HIGH)
Exploit or POC: Yes (Actively Being Exploited)
Update: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability Description: CVE-2024-20359 allows for code execution. Authentication is required to successfully exploit this vulnerability. This vulnerability can be exploited by copying a specially crafted file to the disk0: file system on an affected device. The successful exploitation of this vulnerability could allow an adversary to execute code arbitrarily using root level privileges on an affected device, and thereby alter the system’s behavior.
Mitigation recommendation: Customers should upgrade to the fixed software versions as listed in the ‘Update’ description: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability.RedLegg Action: None at this time.