home.social
Sign in Create account

#cve_2024_20358 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cve_2024_20358, aggregated by home.social.

  1. Taggart :donor: @[email protected] ·

    Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

    If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

    blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

    #CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

    #cisco #arcanedoor #cve_2024_20353 #cve_2024_20358 #cve_2024_20359
  2. ⠠⠵ avuko @[email protected] ·

    So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: blog.talosintelligence.com/arc), first things first:

    DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

    "When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

    This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

    What you should do is (I'll quote):

    1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
    2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
    3. Collect the outputs of the following commands:
      • show version
      • verify /SHA-512 system:memory/text
      • debug menu memory 8
    4. Open a case with the Cisco Technical Assistance Center (TAC, cisco.com/c/en/us/support/inde). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

    Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

    I will repeat (without shouting this time):

    Patching is not a fix!

    "We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

    There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (sec.cloudapps.cisco.com/securi), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

    #CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

    Final question for anyone still reading: why the debug menu memory 8? What does it do?

    #arcanedoor #linedancer #cve_2024_20358 #cve_2024_20359 #cve_2024_20353 #infosec