Cisco released an advisory to address a security vulnerability impacting Cisco Adaptive Security Appliance Software. Tracked as CVE-2024-20329, the vulnerability has a critical severity rating with a CVSS score of 9.9. Successful exploitation of the vulnerability could allow the attacker to execute commands on the underlying operating system with root-level privileges.
Cisco mentioned in the advisory that they are not aware of any public exploitation of the vulnerability.
Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices in various form factors. ASA Software also integrates with other critical security technologies to provide comprehensive solutions that meet continuously evolving security needs.
Vulnerability Description
The vulnerability originates from insufficient validation of user input. An attacker may exploit this vulnerability by submitting crafted input while executing remote CLI commands over SSH. An authenticated, remote attacker may execute commands on the underlying operating system with root-level privileges on successful exploitation. An attacker with limited user privileges could use this vulnerability to gain complete control over the system.
Affected Versions
This vulnerability affects Cisco products if they run a vulnerable release of Cisco ASA Software and have the CiscoSSH stack enabled and SSH access allowed on at least one interface.
Determine Whether the CiscoSSH Stack Is Enabled
To determine whether the CiscoSSH stack is enabled on a device, use the show running-config | include ssh command and verify the presence of the ssh stack ciscossh configuration and an SSH ACL, as shown below:
ciscoasa# show run | include ssh aaa authentication ssh console LOCAL ssh scopy enable ssh stack ciscossh ssh stricthostkeycheck ssh timeout 5 ssh version 2 ssh key-exchange group dh-group14-sha256 ssh 0.0.0.0 0.0.0.0 management ciscoasa#
Mitigation
Cisco has released software updates to address vulnerability.
Customers can refer to the Cisco Security Advisory (cisco-sa-asa-ssh-rce-gRAuPEUF) for information about the vulnerability.
Workarounds
Enable the native SSH stack by disabling the CiscoSSH stack using the no ssh stack ciscossh command.
ciscoasa# conf t ciscoasa(config)# no ssh stack ciscossh Connection to 192.168.1.1 closed by remote host. Connection to 192.168.1.1 closed.
Note: Any open SSH login sessions will be terminated when the command is run. Log in once more and save the configuration if you want this modification to last through reboots.
Qualys Detection
Qualys customers can scan their devices with QID 317530 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References