Cisco Security Breach

TLDR: Apparently this vulnerability was known by Cisco for 3-4 months before a patch was released for it, JFC Fixed version: **unknown** *There are firmware updates available for devices with the fix but the articles don't list the version, some require a TAC case to get the fixed versions. Patches are available for free if you don't have an active TAC contract. If someone replies with the fixed version I'll update the guide* **Determine Whether an ASA or FTD Device Is Affected** https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ **Method 1: ** After updating the device to a software release that contains the fix for CVE-2024-20359, a review of the contents of disk0: should be conducted. If a new file (e.g., “client_bundle_install.zip” or any other unusual .zip file) appears on disk0: following the update, this suggests that Line Runner was present on the device in question. Note that because the updated software is not vulnerable to CVE-2024-20359, Line Runner will no longer be active on the device. **Method 2: ** To detect (and remove) Line Runner, the following series of commands will create an innocuous file with a .zip extension. Note that it will not create a valid zip file, but the file will still be read by the ASA at reboot. Upon execution of the following commands, if a new .zip file appears on disk0: following the reload, this suggests that Line Runner was present on the device in question. Deletion of the “client_bundle_install.zip” file will remove Line Runner. Note that the malicious ZIP containing the Line Runner functionality could have other names that fit the naming pattern outlined previously. If you discover a newly created .zip file, copy that file off the device using the copy command and contact psirt@cisco.com referencing CVE-2024-20359. Include the outputs of the dir disk0: and show version commands from the device and the .zip file extracted from the device.