Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArcaneDoor Exploiting Cisco ASA Vulnerabilities - 20240425001 #676

Merged
merged 3 commits into from
Apr 26, 2024
Merged

ArcaneDoor Exploiting Cisco ASA Vulnerabilities - 20240425001 #676

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0fdabf2
ArcaneDoor Exploiting Cisco ASA Vulnerabilities - 20240425001
petarpetrovski Apr 26, 2024
06bf9a7
Format markdown docs
petarpetrovski Apr 26, 2024
39cd202
20240426001
petarpetrovski Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions docs/advisories/20240426001-ArcaneDoor-Exploiting-Cisco-ASA-Vulnerabilities.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# ArcaneDoor Exploiting Cisco ASA Vulnerabilities - 20240426001

## Overview

Cisco has released security updates to address ArcaneDoor—exploitation of Cisco Adaptive Security Appliances (ASA) devices and Cisco Firepower Threat Defense (FTD) software. A cyber threat actor could exploit vulnerabilities (CVE-2024-20353, CVE-2024-20359, CVE-2024-20358) to take control of an affected system.

## What is vulnerable?

| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated |
| ----------------------------------------------------------------- | ---------- | ---- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| [CVE-2024-20353](https://nvd.nist.gov/vuln/detail/CVE-2024-20353) | **High** | 8.6 | **Check [advisory's tool](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2) on vulnerable configured Cisco ASA and FTD Software** | A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition | 24/04/2024 |
| [CVE-2024-20359](https://nvd.nist.gov/vuln/detail/CVE-2024-20359) | **Medium** | 6.0 | **Check [advisory's tool](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h) on vulnerable release of Cisco ASA Software or FTD Software** | A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges | 24/04/2024 |
| [CVE-2024-20358](https://nvd.nist.gov/vuln/detail/CVE-2024-20358) | **Medium** | 6.0 | **Check [advisory's tool](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm) on vulnerable release of Cisco ASA Software or FTD Software** | A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges | 24/04/2024 |

## What has been observed?

There is evidence of exploitation activities and some Cisco ASA devices in Australia have been compromised.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):

- [Attacks Against Cisco Firewall Platforms](https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response)

- Inspect logs for traces of [IOCs](https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns)

## Additional References

- [Exploitation of vulnerabilities affecting Cisco firewall platforms](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/exploitation-vulnerabilities-affecting-cisco-firewall-platforms)
- [Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms](https://www.cisa.gov/news-events/alerts/2024/04/24/cisco-releases-security-updates-addressing-arcanedoor-vulnerabilities-cisco-firewall-platforms)