ArcaneDoor - Cisco Vulnerabilities

Fortra is actively investigating an attack campaign dubbed “ArcaneDoor” against Cisco Adaptive Security Appliances (ASA) and Cisco Firepower Threat Defense (FTD) software. The campaign has been used to implant malware, execute commands, and potentially exfiltrate data. While the initial attack vector has not yet been identified, Cisco has identified three vulnerabilities impacting these devices, two of which have been used within the attack.

• CVE-2024-20353
• CVE-2024-20358
• CVE-2024-20359

All three vulnerabilities have been patched as part of the Cisco Threat Response.

Who is affected?

The following versions of Cisco ASA and Cisco FTD are affected:

• Cisco Adaptive Security Appliance (ASA) Software 9.12 up to and including 9.12.4.65
• Cisco Adaptive Security Appliance (ASA) Software 9.14 up to and including 9.14.4.23
• Cisco Adaptive Security Appliance (ASA) Software 9.15 up to and including 9.15.1.21
• Cisco Adaptive Security Appliance (ASA) Software 9.16 up to and including 9.16.4.55
• Cisco Adaptive Security Appliance (ASA) Software 9.17 up to and including 9.17.1.33
• Cisco Adaptive Security Appliance (ASA) Software 9.18 up to and including 9.18.4.8
• Cisco Adaptive Security Appliance (ASA) Software 9.19 up to and including 9.19.1.27
• Cisco Adaptive Security Appliance (ASA) Software 9.20 up to and including 9.20.2
• Cisco Adaptive Security Appliance (ASA) Software 9.8 up to and including 9.8.4.48
• Cisco Firepower Threat Defense Software 6.2 up to and including 6.2.3.18
• Cisco Firepower Threat Defense Software 6.4 up to and including 6.4.0.17
• Cisco Firepower Threat Defense Software 6.6 up to and including 6.6.7.1
• Cisco Firepower Threat Defense Software 6.7 up to and including 6.7.0.3
• Cisco Firepower Threat Defense Software 7.0 up to and including 7.0.6.1
• Cisco Firepower Threat Defense Software 7.1 up to and including 7.1.0.3
• Cisco Firepower Threat Defense Software 7.2 up to and including 7.2.5.1
• Cisco Firepower Threat Defense Software 7.3 up to and including 7.3.1.1
• Cisco Firepower Threat Defense Software 7.4 up to and including 7.4.1

What can I do?

Cisco has released software updates that address these vulnerabilities. Fortra recommends updating as soon as possible.

For more information on this attack campaign and Cisco’s response, including specific mitigation steps for each vulnerability, refer to Cisco’s Event Response advisory.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities in addition to those listed below.

Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on April 26, 2024, to check for vulnerable versions of Cisco ASA. Authenticated scan coverage was released on May 2, 2024, to check for vulnerable versions of Cisco Firepower. If any of these vulnerabilities are found, an exposure (EIDs: 262435, 262477, or 262478) will be raised based on which vulnerabilities are found.

FortraVM: On May 31, 2024, Fortra released authenticated scan checks for CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 via Network Scanner 4.43.0.  If these vulnerabilities are found, one or more of the following vulnerabilities will be raised:

• Vulnerability 159785: Cisco Security Advisory: CISCO-SA-ASAFTD-WEBSRVS-DOS-X8GNUCD2
• Vulnerability 159784: Cisco Security Advisory: CISCO-SA-ASAFTD-CMD-INJ-ZJV8WYSM 
• Vulnerability 159786: Cisco Security Advisory: CISCO-SA-ASAFTD-PERSIST-RCE-FLSNXF4H 

Tripwire IP360: Tripwire released authenticated scan coverage on May 1, 2024, to identify vulnerable instances. If the vulnerabilities are found, vulnerability 628287 will match for CVE-2024-20353, vulnerability 628288 will match for CVE-2024-20358, and vulnerability 628289 will match for CVE-2024-20359.

Updates

Fortra has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Fortra coverage as it becomes available.