External risk intelligence

Cisco ASA and FTD: Local Code Execution Risk via File Manipulation.

CVE advisoryKnown Exploit

CVE-2024-20359

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software contain a vulnerability allowing an authenticated local attacker with administrator privileges to execute arbitrary code. This could alter system behavior and persist across reboots, posing a significant business risk.

1Halo Surface Signal

Code Injection

Cisco Adaptive Security Appliance Software

9.8.19.8.1.59.8.1.79.8.29.8.2.89.8.2.149.8.2.159.8.2.179.8.2.209.8.2.249.8.2.269.8.2.289.8.2.339.8.2.359.8.2.389.8.39.8.3.89.8.3.119.8.3.149.8.3.169.8.3.18;...

External exposure likelihood

Halo Surface Signal score for CVE-2024-20359

This vulnerability requires an authenticated attacker with pre-existing administrator-level privileges to perform local file system operations on the device. It is not exploitable over a network connection or by an unauthenticated user, limiting the attack surface to those who have already successfully compromised or gained administrative access to the internal appliance.

Horizon Alert

Summary of the vulnerability and why it matters

A legacy capability within Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software is susceptible to a vulnerability. This flaw could allow an authenticated local attacker to execute arbitrary code with root-level privileges on an affected device. The exploit requires administrator-level access to initiate.

Vulnerable legacy VPN client capability
Improper file validation
Potential for altered system behavior

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker with existing administrator privileges to execute arbitrary code on a Cisco Adaptive Security Appliance or Firepower Threat Defense device. The attack involves the attacker copying a specially crafted file to the device's file system. Once the device is reloaded, the malicious code can execute with root-level privileges, potentially altering system behavior. This persistence across reboots is a key aspect of the exploit.

Required exposure: Local administrator access.
Attacker starting point: Authenticated administrator.
Trigger and result: Copy file, reload device, execute code.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a localized risk, meaning an attacker must already possess administrative access to the affected Cisco devices. The attacker would need to copy a malicious file to the device's system, which could then lead to the execution of arbitrary code upon the next device reload. This could alter system behavior and persist across reboots. The Cisco Security Impact Rating has been raised to High due to the potential for persistent code execution.

Likely attacker skill: Administrator level access required.
Required access or conditions: Local access to a device.
Business risk or urgency: Potential for persistent code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. An authenticated local attacker with administrator privileges could exploit this by copying a crafted file to the device. Successful exploitation could allow the attacker to execute arbitrary code, altering system behavior and potentially persisting across reboots. The vendor has escalated the security impact rating for this advisory to High due to the persistence of the exploit.

Identify exposed Cisco ASA and FTD assets.
Reduce exposure or isolate affected systems.
Apply vendor fix, verify, and monitor.

Frequently asked questions

What is Cisco ASA and FTD software?

Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) are software platforms used for network security. ASA provides firewall and VPN capabilities, while FTD integrates firewall, intrusion prevention, and advanced threat detection into a single system.

What kind of vulnerability does CVE-2024-20359 represent?

CVE-2024-20359 is a code injection vulnerability, classified as CWE-94. This type of weakness occurs when software improperly validates or neutralizes external input used in code generation, potentially allowing an attacker to inject and execute arbitrary code.

What are the preconditions for exploiting this vulnerability?

An attacker needs administrator-level privileges on the affected device and must be able to copy a crafted file to the system's disk0: file system. The vulnerability is not triggered by unauthenticated users or network-based attacks.

Who should be concerned about this vulnerability?

Organizations using Cisco ASA or FTD software should be concerned. Since this vulnerability requires local administrator access to exploit, it is considered an internal threat to an organization's network rather than an external one.

What is the first step to address CVE-2024-20359?

The primary recommended action is to update to the fixed versions of Cisco ASA and FTD software provided by Cisco.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.