Skip to main content

Cisco Releases October 2024 ASA, FMC, and FTD Software Security Advisory Bundled Publication

35 advisories are included in the semi-annual Cisco Adaptive Security Appliance Software (ASA), Firepower Management Center (FMC) Software, and Firepower Threat Defense (FTD) Software Security Advisory bundled publication

Threat ID:
CC-4568
Threat Severity:
Medium
Published:
24 October 2024 4:00 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

35 advisories are included in the semi-annual Cisco Adaptive Security Appliance Software (ASA), Firepower Management Center (FMC) Software, and Firepower Threat Defense (FTD) Software Security Advisory bundled publication

Threat details

Cisco Software Checker

To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities.

Introduction

Cisco has released 35 security advisories that cover 51 vulnerabilities in its semi-annual bundle of Cisco Adaptive Security Appliance Software (ASA), Firepower Management Center (FMC) Software, and Firepower Threat Defense (FTD) Software Advisories.

The bundled publication includes 3 advisories with a critical security impact rating, 11 with high security impact, 20 advisories with medium impact, and 1 advisory rated as informational. Of these advisories, special attention should be given to the following two medium impact advisories, listed in the following section due to exploitation or availability of exploit code.

In addition, three critical security impact advisories also warrant close inspection. Two vulnerabilities address command injection vulnerabilities, which if exploited, could allow an authenticated, remote attacker to execute commands as root. The third critical advisory concerns a static credential vulnerability that could allow an attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a re-image of the device.

  • cisco-sa-asa-ssh-rce-gRAuPEUF  | Cisco Adaptive Security Appliance Software SSH Remote Command Injection Vulnerability - CVE-2024-20329
  • cisco-sa-fmc-cmd-inj-v3AWDqN7 | Cisco Secure Firewall Management Center Software Command Injection Vulnerability - CVE-2024-20424
  • cisco-sa-ftd-statcred-dFC8tXT5 | Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability - CVE-2024-20412

Much more information about the other advisories not described in this cyber alert can be found in the October 2024 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Exploitation in the wild and PoC exploit code available

  • Exploited in the wild:
    Outlined in medium impact advisory ID cisco-sa-asaftd-bf-dos-vDZhLqrW, a brute force denial-of-service (DoS) vulnerability known as CVE-2024-20481 could be exploited by an unauthenticated, remote attacker by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow an attacker to exhaust resources, resulting in a DoS of the Remote Access VPN service on the affected device. The advisory lists possible indicators of compromise (IoCs) and mitigation.
     
  • Proof-of-concept exploit code available:
    Medium impact advisory ID cisco-sa-fmc-xss-infodisc-RL4mJFer contains three vulnerabilities, two that address cross-site scripting (XSS) and one that could lead to information disclosure. Cisco is not aware of any malicious use of the vulnerabilities, but public proof-of-concept exploit code is available. The NHS England National CSOC consider exploitation of these vulnerabilities more likely.

Exploitation CVE-2024-20481 and proof-of-concept code for three other vulnerabilities

The NHS England National CSOC consider the exploitation of CVE-2024-20481 highly likely to continue.

With PoC exploit code available, exploitation of vulnerabilities CVE-2024-20377, CVE-2024-20387, and CVE-2024-20388 is considered more likely.

Remediation advice

Affected organisations are encouraged to review October 2024 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication and its linked advisories and apply any relevant security updates.

Additional mitigation guidance is available in Recommendations Against Password Spray Attacks Aimed at Remote Access VPN Services in Secure Firewall TechNote.

CVE Vulnerabilities

Status Published

CVE-2024-20329

A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute operating system commands as root. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by submitting crafted input when executing remote CLI commands over SSH. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. An attacker with limited user privileges could use this vulnerability to gain complete control over the system.
Status Published

CVE-2024-20424

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient input validation of certain HTTP requests. An attacker could exploit this vulnerability by authenticating to the web-based management interface of an affected device and then sending a crafted HTTP request to the device. A successful exploit could allow the attacker to execute arbitrary commands with root permissions on the underlying operating system of the Cisco FMC device or to execute commands on managed Cisco Firepower Threat Defense (FTD) devices. To exploit this vulnerability, the attacker would need valid credentials for a user account with at least the role of Security Analyst (Read Only).
Status Published

CVE-2024-20412

A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials. This vulnerability is due to the presence of static accounts with hard-coded passwords on an affected system. An attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials. A successful exploit could allow the attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a reimage of the device.
Status Published

CVE-2024-20481

A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service. This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device. Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service. Services that are not related to VPN are not affected. Cisco Talos discussed these attacks in the blog post Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials.
Status Published

CVE-2024-20377

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to the web-based management interface not properly validating user-supplied input. An attacker could exploit this vulnerability by by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Status Published

CVE-2024-20387

A vulnerability in the web-based management interface of Cisco FMC Software could allow an authenticated, remote attacker to store malicious content for use in XSS attacks. This vulnerability is due to improper input sanitization in the web-based management interface of Cisco FMC Software. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to conduct a stored XSS attack on an affected device.
Status Published

CVE-2024-20388

A vulnerability in the password change feature of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to determine valid user names on an affected device. This vulnerability is due to improper authentication of password update responses. An attacker could exploit this vulnerability by forcing a password reset on an affected device. A successful exploit could allow the attacker to determine valid user names in the unauthenticated response to a forced password reset.

Last edited: 24 October 2024 4:00 pm