Cisco ASA Device May Be Compromised by Hackers

Cisco ASA Device May Be Compromised by Hackers 

Cisco ASA Device May Be Compromised by Hackers

About the new Vulnerability
  • Cisco CVE-2024-20353
  • Cisco CVE-2024-20359

As you may heard about the two new actively exploited Cisco vulnerabilities impacting Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.

"On a breached ASA, attackers send shellcode to the host-scan-reply field, which is subsequently processed by the Line Dancer implant. The host-scan-reply parameter, which is often used later in the SSL VPN connection setup process, is handled by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with 'client-services', or HTTPS management access," the researchers explained.

"The actor changes the pointer to the default host-scan-reply code to the Line Dancer shellcode interpreter. This allows the actor to connect with the device via POST requests rather than authenticating and interacting directly through typical administration interfaces."

About Cisco CVE-2024-20353 and CVE-2024-20359

Exploit of these two vulnerabilities impact the management and VPN web servers and legacy capability for Cisco's ASA and FTD software:  

CVE-2024-20353 (Vendor CVSS Score 8.6) allows an unauthenticated, remote attacker to force a compromised device to reload unexpectedly, resulting in a denial of service (DoS) condition.

CVE-2024-20359 (Vendor CVSS Score 6.0) allows an unauthenticated, local attacker to execute arbitrary code with root-level privileges. (Note: Administrator privileges are required to exploit this vulnerability.)

Specifically, Cisco's Talos Intelligence reported an ongoing campaign ("ArcaneDoor"), in which threat actors from UAT4356 deployed two backdoors (“Line Runner” and “Line Dancer”). 

These threat actors conducted multiple malicious activities, including:

  • Configuration modification,
  • Reconnaissance,
  • Network traffic capture/exfiltration, and
  • Potential lateral movement. 

Cisco has issued patches for CVE-2024-20353 and CVE-2024-20359, gave signs of compromise, Snort signatures, and described multiple methods for detecting the Line Runner backdoor on ASA devices.

Organizations using Cisco ASA are encouraged to apply the updates as soon as feasible because there are no workarounds to address the two vulnerabilities.

More on Vulnerability, Please check 
Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability

Free Tools...