Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability

MonitorCVSS 6cisco-sa-asaftd-cmd-inj-ZJV8WysmApr 24, 2024

CiscoEnergyManufacturing

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the backup restore functionality of Cisco ASA and Firepower Threat Defense (FTD) Software allows an authenticated, local attacker with administrator-level privileges to execute arbitrary commands with root-level access on the underlying Linux operating system. The vulnerability exists because backup file contents are improperly sanitized at restore time. An attacker could exploit this by restoring a crafted backup file, leading to complete system compromise and potential disruption or modification of firewall rules and network filtering policies.

What this means

What could happen

An authenticated attacker with admin credentials could restore a malicious backup file to your firewall, gaining root-level control over the device and potentially disrupting network access or modifying firewall rules that protect your critical infrastructure.

Who's at risk

Energy and manufacturing organizations using Cisco ASA, FTD, or Secure Firewall devices for network perimeter defense. This includes edge firewalls (5500-X, Secure Firewall 1200/3100/4200 series), industrial security appliances (3000 Series ISA), data center firewalls (Firepower 4100/9000 series), and virtual appliances (ASAv, FTD Virtual) in any deployment model.

How it could be exploited

An attacker with administrator-level access to the firewall's management interface (web UI or CLI) could upload and restore a crafted backup file. The firewall improperly sanitizes the backup contents at restore time, allowing the attacker to execute arbitrary commands with root privileges on the underlying Linux operating system.

Prerequisites

Administrator-level credentials on the affected firewall
Access to the firewall management interface (local or remote management access)
Ability to upload and restore a backup file

Authenticated access required (insider risk)High privilege level required (admin credentials)Affects network access control devices (impacts all downstream traffic)No workarounds available—patch is the only solution

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

ASA 5500-X Series FirewallsAll versionsFix available

3000 Series Industrial Security Appliances (ISA)All versionsFix available

Firepower 9000 SeriesAll versionsFix available

Firepower 4100 SeriesAll versionsFix available

Adaptive Security Virtual Appliance (ASAv)All versionsFix available

Firepower 2100 SeriesAll versionsFix available

Firepower 1000 SeriesAll versionsFix available

Secure Firewall 3100 SeriesAll versionsFix available

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict administrative access to the firewall management interface to trusted personnel and networks only

HARDENINGAudit recent backup and restore operations to identify any unauthorized restore activities

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the latest vendor-supplied security updates to all affected Cisco ASA, FTD, and Secure Firewall devices

Long-term hardening

0/1

HARDENINGImplement multi-factor authentication for firewall administrator accounts

CVEs (1)

CVE-2024-20358

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a57ce7b2-6a88-4256-a7e2-b5d25ac26756

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.