Overview
On April 24, 2024, Cisco Talos and several government security agencies published details on a sophisticated threat campaign focused on espionage and gaining unauthorized access to sensitive information from targeted government entities and organizations in critical infrastructure.
As part of that publication, Cisco disclosed CVE-2024-20353 and CVE-2024-20359, affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, which were actively exploited in the documented campaign.
Severity: High
CVSS Severity Score: 9.6/10
CVE(s): CVE-2024-20353 CVE-2024-20359
Impacted Products: Cisco ASA and Cisco FTD
While the initial access vector in this campaign – dubbed ArcaneDoor – has not yet been identified in this campaign, Cisco is continuing to investigate the possibility of an unauthenticated Remote Code Execution (RCE) vulnerability.
ISG is working with Arctic Wolf Labs, who is monitoring for further developments related to this threat activity.
Recommended Action
To address these vulnerabilities and mitigate the persistence of the documented webshell implants we recommend upgrading to the fixed versions of Cisco ASA and FTD Software as provided by Cisco
|
Affected Product |
Vulnerability |
Affected Version |
Fixed Version |
|
Cisco ASA/ FTD Software |
CVE-2023-20353 |
Versions prior to 9.16.4.57, 9.18.4.22, and 9.20.2.10 with Specific configurations enabling SSL listen sockets |
Any of the following: · 9.16.4.57 · 9.18.4.22 · 9.20.2.10 |
|
CVE-2024-20359 |
Versions prior to 9.16.4.57, 9.18.4.22, and 9.20.2.10. No specific configuration required |
Use the Cisco Software Checker to Identify Correct Version for your Upgrade Path of Cisco ASA/FTD
Cisco provides a tool identified as Cisco Software Checker to help its customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software. This tool detects Cisco security advisories affecting a particular software release, pinpointing the initial release that addresses the vulnerabilities outlined in each advisory. Additionally, it provides information on the earliest release that resolves all vulnerabilities outlined across multiple advisories.
Make sure to follow your organization’s patching and testing guidelines to avoid any operational impact.
Review Security Best Practices for Cisco ASA/FTD Devices
The Communications Security Establishment of Canada provides general hardening guidance for Cisco ASA/FTD devices, including:
- Restrict internal unencrypted traffic through gateway devices, including unencrypted SMB traffic. SMBv3 should be used at a minimum.
- Limit privileges on AD accounts used on edge devices such as firewalls.
- Limit use of SSL/TLS for VPN connectivity and consider using IPSec instead.
- Implement geofencing where possible to limit attack surface.
ISG Can Help
If you need help with remediation, please reach out to your ISG representative fill out our Contact Us form to request help.
Resources
Cisco Security Advisory
Provides you with a more in-depth summary and details about the affected products, how to determine whether an ASA or FTD is affected and more.
Cisco Software Checker
Use the Cisco Software Checker to search for Cisco Security Advisories that apply to specific software releases of the following products: Cisco ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS and NX-OS in ACI Mode.
Cisco Talos Intelligence – Arcane Door Overview
Technical overview of the attack including timeline, links to critical fixes and technical details such as:
- Line Dancer: In-Memory Implant Technical Details
- Host-Scan-Reply hook overview
- Line Runner: Persistence Mechanism
- Forensic Recovery and Identification of Line Runner
- Anti-Forensics/Anti-Analysis Capabilities