Skip to main content

Cisco ASA Devices Backdoored Via Two Zero-Days (CVE-2024-20353 and CVE-2024-20359)

Advisory

Advisory
01 MAY 2024

 

Background

CCisco has warned that two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls are now actively exploited since November 2023 to breach government networks worldwide. The two vulnerabilities, namely CVE-2024-20353 and CVE-2024-20359, allow threat actors to deploy previously unknown malware and maintain persistence on compromised ASA and FTD devices.

CVE-2024-20353 is a vulnerability affecting the management and VPN web servers for Cisco Adaptive Security Appliance software and Cisco Firepower Threat Defense software allowing an unauthenticated, remote attacker to negatively impact the uptime of the device by causing unexpected reloads, resulting in a denial of service (DoS) condition.

CVE-2024-20359 is a vulnerability impacting a legacy capability that preloads VPN clients and plug-ins for Cisco Adaptive Security Appliance software and Cisco Firepower Threat Defense software allowing an authenticated, local attacker to execute arbitrary code with escalated privileges. Administrator-level privileges are required to exploit this vulnerability.

 

Affected Products

To determine whether a device that is running Cisco ASA Software or FTD Software is affected, use the show asp table socket | include SSL command and look for an SSL listen socket on any TCP port.

If a socket is present in the output, the device should be considered vulnerable.

For ASA Software Vulnerable Configuration and FTD Software Vulnerable Configuration, please refer to https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2

 

Recommendations

 

References