Sophisticated Attack Against Cisco ASA and FTD Software Leveraging Multiple Vulnerabilities (CVE-2024-20353, CVE-2024-20358, CVE-2024-20359)

Executive Summary

On April 24th, Cisco reported on an attack campaign against certain Cisco devices running Cisco Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) Software. The report detailed three vulnerabilities: CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359.

CVE-2024-20353 is a denial-of-service attack that allows a remote, unauthenticated attacker to cause the device to reload unexpectedly, resulting in a denial-of-service condition. CVE-2024-20358 is a command injection attack that allows a local, authenticated attacker with Administrator level privileges to run arbitrary commands as root on the underlying device operating system. CVE-2024-20359 is similar and is an arbitrary code execution attack that allows a local, authenticated attacker with Administrator level privileges to execute arbitrary code as root on the underlying device operating system.

Incident analysis from the Cisco Talos team describes a highly capable and well sourced threat actor behind an attack campaign they’re calling ArcaneDoor. The campaign required using two of the reported vulnerabilities in conjunction to install a pair of sophisticated backdoors named Line Dancer and Line Runner on victim appliances. This level of deep familiarity with the target environment, custom exploits and tooling, and robust supporting attack infrastructure described in their report are the hallmarks of state sponsored threat actors. Cisco Talos has collaborated with the UK’S National Cyber Security Centre (NCSC) and other intelligence partners to track this new espionage focused threat actor. This threat actor is now tracked as UAT4365 by Talos and STORM-1849 by Microsoft.

A critical detail from the report is that the initial access method is still unknown at the time of this advisory, meaning organizations may need to be prepared to apply additional patches when this is discovered and resolved. Vendor patches for the reported vulnerabilities have been publicly released and as a result, Lodestone predicts financially motivated threat actors will study the patches to develop their own weaponized exploits in the coming days. Finally, Cisco has reported no available mitigations or workarounds besides installing the software patches. Given these factors, Lodestone believes immediate application of Cisco’s released patches is crucial.

Affected Systems / Products

The vulnerability affects the following versions of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software:

• Cisco ASA Software prior to 9.16.4.57
• Cisco FTD Software prior to 7.0.6.2

Mitigations / Workarounds

There are no mitigations or workarounds that address this vulnerability. The only provided fix is the vendor supplied software update.

Patches

Cisco has provided free software updates to address this vulnerability. Customers with service contracts can obtain the security fixes through their usual update channels.

Customers without service contracts can obtain their security fixes through the Cisco TAC. A product serial number and the URL of their advisory will need to be provided as part of the process.

Cisco additionally provides a “Cisco Software Checker” to verify if your appliance is affected. There is both a full web page and a condensed form directly on the advisory page that Cisco device owners can use to check their appliance software versions.

Technical Details

The attack was sophisticated and resulted in two related implants installed on victim appliances.

The first implant is named Line Dancer and is a memory only backdoor that receives and executes arbitrary shellcode payloads. It facilitates this by overriding the Cisco code that processes the host-scan-reply field in incoming network traffic. This field is used in normal appliance operations, so the implant gives the threat actors the ability to send arbitrary code via a POST request, bypassing authentication processes. More details of its functionality can be found in the Talos report.

The second implant is named Line Runner and is used as the persistence mechanism for the pair of implants. The installation procedure for this implant makes use of two of the disclosed vulnerabilities reported in the Cisco advisory. Using an initial access method that is unknown at the time of this advisory, the threat actors staged a trojan VPN configuration package on victim appliances following the naming convention “client_bundle*.zip”. The threat actors then leveraged CVE-2024-20353 (the Denial of Service vulnerability) to cause the target appliance to reload. As part of this reload process, the appliance will unpackage any files following the naming convention “client_bundle*.zip” and execute any child files named “csco_config.lua”. This is malicious misuse of legacy functionality now tracked as CVE-2024-20359.

Detection Guidance

Cisco has provided detection guidance to determine if an attack may have been attempted on a device. After upgrading to a fixed release:

• From the device CLI, check the output of the command: dir disk0:
• Look for new .zip files that did not show up before the upgrade
• In particular, look for a file named client_bundle_install.zip or any other unusual name

Any unusual files in that location may indicate staged backdoors abusing the vulnerabilities in this advisory.

While the above steps can help uncover generic use of these vulnerabilities, Cisco Talos also provided details to facilitate threat hunting for the specific threat actor (UAT4365) that was seen using these vulnerabilities in the wild. Their trojan VPN package contained the following specific files:

• ./csco_config.lua
• ./csco_config2.lua
• ./client_bundle_install/plugin/rdp.jar
• ./client_bundle_install/test/stgvdr.txt
• ./client_bundle_install/test/index.txt
• ./client_bundle_install/test/hash.txt
• ./client_bundle_install/test/umtfc.txt
• ./client_bundle_install/test/laecsnw.txt

Note that several of these files delete themselves during the attack. These files implement configuration changes to the appliance that are specific to this malware family and are out of scope for this advisory. Details however, are available in the Talos report.

How Lodestone is Responding

Lodestone is monitoring client perimeter devices discovered by Karma to identify potentially impacted devices and support organizations in remediation of any issues found.

Sources

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
• https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-runner.pdf
• https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/