CVE-2024-20359
Published: 24 April 2024
Summary
CVE-2024-20359 is a medium-severity Code Injection (CWE-94) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 6.0 (Medium).
Operationally, ranked at the 33.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in a legacy capability for preloading VPN clients and plug-ins affects Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The issue stems from improper validation of files read from system flash memory and could permit an authenticated local attacker to execute arbitrary code with root-level privileges after a device reload. Administrator privileges are required, and the injected code can persist across reboots, prompting Cisco to raise the Security Impact Rating from Medium to High. The flaw carries a CVSS 3.1 score of 6.0 and is associated with CWE-94.
An attacker with local administrative access can exploit the vulnerability by placing a crafted file on the disk0: file system of an affected device. Successful exploitation allows arbitrary code execution on the next reload, enabling alteration of system behavior that survives reboots.
Cisco has published a security advisory detailing the issue, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score rose materially from a low baseline to a peak of 0.0118 on 2024-04-25 before receding, indicating post-disclosure exploitation interest.
A Talos Intelligence report links the vulnerability to the ArcaneDoor espionage campaign targeting perimeter network devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18074
Vulnerability details
A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local…
more
attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.
- CWE(s)
- KEV Date Added
- 24 April 2024
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remove the legacy VPN preloading mechanism and eliminate the improper file-validation flaw.
Mandates disabling or removing non-essential legacy capabilities (the VPN client/plug-in preloader) so the vulnerable code path no longer exists.
Requires integrity verification of files read from flash (disk0:) to detect the crafted file before the next reload executes the injected code.