CISA Adds Cisco and CrushFTP Flaws to Known Exploited Vulnerabilities Catalog

April 25, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include significant flaws in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls, and CrushFTP's Virtual File System (VFS).

This move comes after Cisco Talos warned that nation-state actor UAT4356, also known as STORM-1849, has been exploiting two zero-day vulnerabilities in these firewalls since November 2023. These attacks, part of a cyber-espionage campaign named ArcaneDoor, have targeted government networks worldwide.

The threat actors have deployed two backdoors, known as “Line Runner” and “Line Dancer.” These backdoors were discovered when a client reported suspicious activities related to their Cisco ASA to Cisco's Product Security Incident Response Team (PSIRT) and Talos in early 2024.

The vulnerabilities exploited by the threat actors are identified as CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution). The Line Dancer backdoor acts as a memory-resident shellcode interpreter, allowing the adversaries to execute arbitrary shellcode payloads. On compromised ASA devices, it uses the host-scan-reply field to deliver shellcode, bypassing the need for CVE-2018-0101 exploitation.

The Line Runner backdoor maintains persistence on the compromised devices. It exploits a legacy VPN client pre-loading capability and triggers at boot by searching for a specific file pattern on disk0:. Once it detects the file pattern, it unzips and executes a Lua script, providing persistent HTTP-based backdoor access. This backdoor survives reboots and upgrades, enabling the threat actors to maintain control.

The third vulnerability added to the KEV catalog is a CrushFTP VFS sandbox escape vulnerability. CrushFTP is a file transfer server software that supports various protocols for secure file transfer. In April, CrushFTP notified users of a virtual file system escape vulnerability in their FTP software, which could potentially enable users to download system files. This vulnerability has been exploited in targeted attacks in the wild.

According to Binding Operational Directive (BOD) 22-01, federal agencies are required to address these identified vulnerabilities by May 1st, 2024. Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure to protect against attacks exploiting these flaws.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.