Critical Vulnerability in Cisco ASA (CVE-2024-20329)

Executive Summary

On October 24th, 2024, Cisco published an advisory regarding a critical vulnerability in their Adaptive Security Appliance (ASA) Software, a core component of their firewall and VPN appliances. The vulnerability is due to insufficient user input validation and can be abused by a remote authenticated attacker to execute arbitrary commands as the root account. Remote code execution (RCE) as root gives an attacker complete control of the device, allowing them to add and remove software, stage attacks against other systems, or disrupt operation of the device. Because Cisco ASA devices are intended to be directly connected to the internet when deployed, this vulnerability presents a significant risk to organizations using affected Cisco ASA devices.

There are a few mitigating factors around this vulnerability that may lessen the global impact, the first being that successful exploit requires using existing account credentials on a target device. This will limit initial attack attempts as threat actors will either need to obtain or guess valid credentials on a target device. Additionally, a vulnerable device would have to have SSH access open to the Internet for remote threat actors to attempt exploits against it. Lastly, the bug was discovered by Cisco research and development teams during internal testing, so this bug was found and patched before becoming publicly known. Cisco also did not publish enough details for a third party to quickly develop proof of concept (PoC) exploits, and the Cisco Product Security Incident Response Team (PSIRT) reported no known active exploits against this vulnerability in the wild. The patch fixes are already public, and Beazley Security expects financially motivated threat actors to reverse engineer the patches to develop and deploy weaponized exploits in the coming days.

Beazley Security recommends organizations upgrade their affected Cisco ASA products as soon as possible.

Affected Systems / Products

Cisco did not provide a clear list of affected products, rather they made available an interactive “Cisco Software Checker” here and also embedded in their advisory found here under the section “Fixed Software”. While this may be inconvenient for defenders to know quickly if they are affected, it is likely done to mitigate and slow down rapid and widespread scanning efforts from malicious threat actors.

Cisco provided some command line instructions that can be run on a device to check if the affected software is running. You may use the command: show running-config | include ssh to view if CiscoSSH is present and its current configuration. This is an example of typical output:

ciscoasa# show run | include ssh

aaa authentication ssh console LOCAL

ssh scopy enable

ssh stack ciscossh (NOTE: this is the line that indicates the vulnerable software is present)

ssh stricthostkeycheck

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group14-sha256

ssh 0.0.0.0 0.0.0.0 management

ciscoasa#

Mitigations / Workarounds

Until patches can be applied to affected systems, the vulnerable CiscoSSH stack component can be disabled and replaced by a native appliance SSH stack. Example commands to achieve this are below:

ciscoasa# conf t

ciscoasa(config)# no ssh stack ciscossh

Please note that these commands will disconnect any currently active login sessions over SSH. To save this change, you must log back in and save the configuration. This workaround has been tested by Cisco and should also be locally tested by any organizations planning to implement.

Patches

Cisco published patch fixes at the time of their advisory and are directing clients to find them at their Support and Download Center. If an affected organization is under a service contract that entitles regular software updates, the usual update channel should suffice.

Technical Details

Cisco did not provide enough detailed information on the vulnerability for a third party to easily use and create a proof of concept (POC), however this vulnerability type (command injection) and the techniques used to exploit it are well known and of low complexity.

Generally, for these types of attacks, a threat actor will transmit a specially crafted string containing anomalous “control characters” embedded within otherwise normal contents. If receiving software does not properly detect and filter anomalous characters such as these, a device may incorrectly interpret malicious contents as commands, leading to remote code execution (RCE).

This appears to be the situation for this vulnerability, as the Cisco report states, “this vulnerability is due to insufficient validation of user input.”

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

Sources

Aware of an incident impacting your industry? Let us know:

Report an incident