CVE-2024-20359

What is Cisco ASA and FTD?

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) are enterprise network security appliances providing firewall, VPN, and intrusion prevention capabilities. They sit at the perimeter of corporate and government networks, making them a high-value target for espionage actors: perimeter device compromise provides persistent access to network traffic, the ability to intercept communications, and a staging point for lateral movement into the internal network. ASA/FTD devices are deployed across government agencies, critical infrastructure operators, and large enterprises worldwide.

Overview

CVE-2024-20359 is a privilege escalation vulnerability in Cisco ASA and FTD that allows a local attacker with administrator-level access to escalate to root on the underlying operating system. It was one of two zero-days (paired with CVE-2024-20353, a denial-of-service vulnerability) disclosed as part of Cisco Talos' investigation of the ArcaneDoor espionage campaign — a sophisticated operation attributed to UAT4356/Velvet Ant (a China-nexus state actor) targeting perimeter network devices of government and critical infrastructure organizations globally. The vulnerability was weaponized to install the "Line Runner" persistent implant on compromised ASA devices.

Affected Versions

Technical Details

CWE-94 (Improper Control of Code Generation). The vulnerability exists in a legacy mechanism within ASA/FTD that supports pre-authentication VPN client software packages and legacy plug-ins. These packages — originally designed for delivering VPN client software to connecting users — can be installed on the ASA using a ZIP file containing arbitrary files. A flaw in the validation and execution of these packages allows an attacker who has obtained administrator access to install a package containing executable code that runs with root-level privileges on the ASA's underlying OS.

The "Line Runner" implant installed by UAT4356 exploited this mechanism to achieve persistence that survived reboots and even some firmware upgrades. Line Runner was a Lua-based webshell that used the ASA's legitimate HTTPS management interface as its command-and-control channel — blending malicious traffic with legitimate management activity to avoid detection. It was designed to remain installed even if the administrator attempted to remove it through normal ASA configuration commands.

Discovery

Discovered by Cisco Talos during investigation of the ArcaneDoor campaign — a months-long espionage operation targeting government and critical infrastructure networks through their Cisco perimeter devices. Talos identified two implants deployed by UAT4356: "Line Dancer" (a memory-resident shellcode loader operating through CVE-2024-20353) and "Line Runner" (the persistent disk-based implant using CVE-2024-20359). The simultaneous 7-day KEV deadline reflects CISA's assessment of the severity and urgency of ongoing exploitation.

Exploitation Context

ArcaneDoor is a state-sponsored espionage campaign with tradecraft consistent with China-nexus operations (attributed to UAT4356, also overlapping with Velvet Ant). The campaign targeted government organizations and critical infrastructure across multiple countries — particularly those involved in policy areas of strategic interest to China. The attack chain required Cisco ASA/FTD administrator access as a prerequisite, which attackers obtained through either CVE-2024-20353 (which could cause device instability allowing credential theft) or other means of initial compromise.

The combination of CVE-2024-20359 (persistent implant) and CVE-2024-20353 (denial-of-service/memory manipulation) represents a complete attack chain: establish initial access, install the persistent Line Runner backdoor for long-term collection, and use Line Dancer for active operations. Cisco's investigation found evidence the attackers had access to ASA vulnerability research prior to the patch, suggesting zero-day development capability.

Remediation

1. Apply Cisco patches per advisory cisco-sa-asaftd-persist-rce-FLsNXF4h to all ASA and FTD devices immediately.
2. Run Cisco's ASA forensic detection guidance to identify Line Runner and Line Dancer implants — Talos published detection instructions including hash verification steps.
3. Verify the integrity of ASA/FTD software by checking against known-good hashes from Cisco's software portal — Line Runner modifies the filesystem in ways detectable through hash comparison.
4. Review ASA/FTD administrator authentication logs for unauthorized admin sessions — particularly access from unexpected source IPs or at unusual hours.
5. Also patch CVE-2024-20353 (the companion denial-of-service vulnerability also used in ArcaneDoor).
6. After patching, perform a full rebuild of any ASA/FTD device suspected of compromise rather than just patching — Line Runner was designed to survive configuration restores.
7. Restrict ASA/FTD management access to a dedicated out-of-band management network accessible only from approved administrative workstations.