May 4, 2024

Cisco ASA and FTD Vulnerability Under Active Exploitation

By

Matthew Fagan, Access Point Consulting

By

Access Point Consulting

Summary

A vulnerability in Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software, categorized as CVE-2024-20353 (CVSSv3: 8.6), results in a denial-of-service condition when exploited, allowing an unauthenticated, remote attacker to cause the device to reload unexpectedly. According to Cisco, this vulnerability is due to incomplete error checking when parsing an HTTP header. It is exploited by sending a specifically crafted HTTP request to a targeted web server. CISA has added this to their Known Exploited Vulnerabilities Catalog, adding to the urgency to remediate.

Impact Assessment

This vulnerability allows a remote, unauthenticated attacker to perform an exploit to cause a denial-of-service condition on the affected device. Evidence of exploitation has been confirmed by Cisco.

According to Cisco, to determine whether a device that is running Cisco ASA or FTD is affected, use the “show asp table socket | include SSL” command and look for an SSL listen socket on any port.

Remediation

Please see the Cisco Software Checker to determine the version to which you are required to update.

The following resources from Cisco will assist in determining your best choice:

What It Means for You

If you are a user of Cisco ASA or Cisco FTD software, you are advised to review their security advisory, utilize the Cisco Software Checker to see if you are vulnerable, and perform updates if applicable.

Business Implications

Exploitation of this vulnerability allows for a denial-of-service condition to be applied to VPN servers for the ASA and FTD software it could be crippling to the business. VPN connections are crucial for providing a secure connection to internal organizational resources, if a user is unable to connect to this VPN service, they will not be able to perform business operations.

Access Point Consulting Recommends

Patch: We recommend patching the following software as soon as possible, exploitation would be detrimental to the organization’s bottom line, and there is evidence of active exploitation, raising the risk level.

Associated Bulletins

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2

https://nvd.nist.gov/vuln/detail/CVE-2024-20353

Resources

CyberWatch

May 16, 2024

Ransomware Pandemic Hits Ascension Hospitals

On May 9, Ascension, a leading private healthcare provider managing 140 hospitals across the United States, confirmed experiencing a significant ransomware attack initiated by the Black Basta group. This cybersecurity breach was first detected the day before, May 8, because of unusual activity on the organization's network systems. The attack severely disrupted operations, leading to delays and postponements of patient appointments and other healthcare services.

Find out more
May 16, 2024

Two Exploited Zero-Day Vulnerabilities Patched

Microsoft released their security updates for May of 2024 which include fixes for two zero-day vulnerabilities: CVE-2024-30040 (CVSSv3: 8.8) and CVE-2024-30051 (CVSSv3:7.8). CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege Vulnerability) allows for a local attacker to exploit this vulnerability to gain system-level privileges. CVE-2024-30040 (Windows MSHTML Platform Security Feature Bypass Vulnerability) allows a remote attacker to bypass OLE mitigations in M365 and Microsoft Office that protect users from vulnerable COM/OLE controls. It requires an attacker to convince a user to load a malicious file into a vulnerable system and manipulate it. This can allow an unauthenticated attacker to achieve remote arbitrary code execution from the context of the user. Both of these vulnerabilities are known to be exploited and have each been added to CISA’s Known Exploited Vulnerabilities Catalog, giving them a heightened patch priority and associated risk.

Find out more
May 10, 2024

Fix Available for Use-After-Free Vulnerability in Tinyproxy

This is a vulnerability that exists in HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.1 classified as CVE-2024-49606 (CVSSv3: 9.8). Cisco Talos security researchers describe this vulnerability as a use-after-free which exists in the HTTP Connection Headers of vulnerable versions of tiny proxy. Utilizing a specially crafted HTTP header can trigger reuse of previously freed memory which leads to memory corruption and can potentially lead to remote code execution. This method does not require authentication. This vulnerability is considered a zero day, but a fix has been made available through GitHub.

Find out more

Peace of mind starts today, with Access Point Consulting

Meet with an Expert