CVE CyberSecurity Database News

CVE-2024-20358 - How a Simple Backup Can Let Hackers Take Over Cisco ASA & FTD Devices

Poster -

Published: June 2024

Introduction

In June 2024, Cisco disclosed a serious vulnerability, CVE-2024-20358, that affects the backup and restore functionality on Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This flaw could let attackers with admin access fully compromise devices by executing any command on the underlying Linux OS – as root!

In this article, I'll break down what this vulnerability is, how it works, why it's dangerous, and (just for education!) show a code snippet so you can really understand the issue. References to Cisco advisories and public resources are included.

Vulnerability Type: Authenticated command injection (local, admin required)

- CVE ID: CVE-2024-20358

Patched: June 2024

- Cisco Advisory: cisco-sa-asaftd-arb-cmd-inj-x6qfrHXY

What Is the Vulnerability?

The problem lies in how Cisco ASA/FTD devices handle backup restore operations. Both products let administrators back up configurations and restore them to a device. But, when restoring a backup file, the software does NOT sanitize its contents properly.

That means if you, as an attacker, can log in (must be an admin!) and restore a malicious backup file you've crafted, you can slip your own commands into the backup file. During the restore process, those commands will run as root on the device's Linux operating system.

This is as bad as it sounds — you can completely take over the system with just a single crafted backup file.

Valid credentials (must have administrator-level access on the device).

- Local access, meaning via the CLI, ASDM, or FDM; or via SSH/console with admin rights.

The Core Problem

When the device restores a backup file (usually a ZIP or similar archive), certain scripts or configuration values from the backup file are used in a way that lets embedded shell code run with root privileges.

They log into the device and use the restore function to load this crafted backup.

3. The device performs the restore process and — because it doesn’t properly filter/clean the values — runs the embedded commands as root.

What Could An Attacker Do?

- Install persistent rootkits/backdoors.

Example Code Snippet: Crafting a Malicious Backup

*This is an educational and simplified example! Real world exploitation depends on Cisco’s internal backup format, but the basic method typically targets scripts or parameters restored from the backup archive.*

Suppose inside the backup, there’s a config.txt file that looks like this

# config.txt - inside malicious backup archive
hostname = myfirewall
ntp_server = 192.168.1.1; /bin/bash -c 'touch /tmp/cve_2024_20358_pwned'

When the backup is restored, any unsanitized use of configuration fields might let you execute custom shell code:

# Hypothetical Python/Python-like restore routine
with open('config.txt') as f:
    for line in f:
        key, value = line.split('=')
        if key.strip() == 'ntp_server':
            # BAD: Processing config without sanity checks
            os.system(f"ntpdate {value.strip()}")  # Vulnerable!

If the attacker sets ntp_server to 192.168.1.1; <malicious command>, then the restore script will run both the ntp update and the attacker’s command — as root.

In Practice

The real exploit may require customizing file formats or ZIP structure to align with Cisco’s format. But the principle is the same: inject a payload in a place that gets run with system privileges during restore.

1. Patch Immediately

Cisco has released patched versions. Update to the latest ASA and FTD software!

- ASA Software: Cisco Download Center
- FTD Software: Cisco Download Center

3. Monitor & Log Restore Operations

- Log all backup/restore events.

References

- Cisco Security Advisory for CVE-2024-20358
- National Vulnerability Database: CVE-2024-20358
- Cisco ASA and FTD Software Download
- Simple explanation of command injection

Conclusion

CVE-2024-20358 is a powerful vulnerability because it abuses a “normal” admin procedure — backup and restore. While it doesn’t give outsiders instant access, for anyone with admin (especially on shared or vulnerable networks), it’s an almost guaranteed full-compromise. Always patch network firewalls and security devices as quickly as possible, review who has admin access, and pay attention to “maintenance” features — they’re often targets for advanced intruders.

Stay safe!

*This guide is for awareness and education only. Always use your knowledge responsibly.*

Timeline

Published on: 04/24/2024 20:15:07 UTC
Last modified on: 04/30/2024 14:47:57 UTC