Cisco released software updates to address two actively exploited vulnerabilities in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software (CVE-2024-20353 & CVE-2024-20359). Successful exploitation of the vulnerabilities may result in remote code execution and denial of service (DoS) conditions.
CISA added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, acknowledging the active exploitation. CISA requested users to patch the vulnerabilities before May 1, 2024.
Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices in various form factors. ASA Software also integrates with other critical security technologies to provide comprehensive solutions that meet continuously evolving security requirements.
Cisco Firepower Threat Defense is an integrative software image combining Cisco ASA and Firepower features into one hardware and software-inclusive system. This cloud-delivered security service edge (SSE) solution, grounded in zero trust, gives users protected access from any device to anywhere.
CVE-2024-20353: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
The vulnerability exists in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability originates from incomplete error checking when parsing an HTTP header.
An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. On successful exploitation, an attacker may cause a denial of service (DoS) condition when the device reloads.
CVE-2024-20359: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
The vulnerability exists in a legacy capability that enables the preloading of VPN clients and plug-ins, available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. To exploit the vulnerability, an attacker must gain Administrator-level privileges. This vulnerability arises from improper file validation when read from system flash memory.
An attacker could exploit this vulnerability by copying a crafted file to an affected device’s disk0: file system. On successful exploitation, an attacker may execute arbitrary code on the affected device after the next reload, which could alter system behavior.
Affected Versions
- From 9.8.1 Prior to 9.16.4.57
- From 9.17.1 Prior to 9.18.4.22
- From 9.19.1 Prior to 9.19.1.28
- From 9.20.1 Prior to 9.20.2.10
Mitigation
Cisco has released software updates to address vulnerabilities. Customers can refer to the Cisco Security Advisories cisco-sa-asaftd-persist-rce-FLsNXF4h and cisco-sa-asaftd-websrvs-dos-X8gNucD2 for information about the vulnerability.
Qualys Detection
Qualys customers can scan their devices with QIDs 317450 and 317451 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2