Author: Chase Snyder, Sr. PMM, Xage Security

Three new CVEs in Cisco security products were announced on April 24, 2024. The trio of CVE-2024-20353, CVE-2024-20359, and CVE-2024-20358 has been dubbed ArcaneDoor and is already being actively exploited. Wired published an article speculating that the exploitation was being conducted by state-sponsored APTs originating in China.

ArcaneDoor represents a continuation of the accelerating trend of perimeter security solutions and VPN products being actively abused by attackers. In the past, attackers may have sought ways AROUND the firewall. Now, the firewall itself is often the path of choice for initial intrusion, lateral movement, privilege escalation, and general espionage campaigns.

What Should You Do About ArcaneDoor?

The CVEs were announced concurrently with patches issued by Cisco. If you have Cisco Adaptive Security Appliances (ASA) or Cisco Firepower Threat Defense (FTD) software, you should do the following:

1. Check whether you have vulnerable versions of those products operating in your environment. 
2. If so, follow the instructions to patch and the precautions to prevent re-installation of custom malware (physically unplug the ASA appliance!). Cisco provides detailed guidance here.
3. Closely monitor your Cisco products and anything that touches them for unusual network behavior, communication with known IOCs (also available in Cisco’s post linked above), and any other abnormalities 

We won’t go too deep on the mitigations for ArcaneDoor since they have already been amply covered by Cisco themselves. 

A Note On Compensating Controls

The perimeter has never been secure. This is almost axiomatic in cybersecurity. But the increased exploitation of security tools themselves is cause for a mindset shift. The concept of layered defense in depth is shifting from being a high-maturity, aspirational goal, to being a baseline necessity for organizations that want to protect themselves against this type of edge-targeted attack.

So what kinds of compensating controls can you deploy that would protect your environment if your firewall got hacked?

1. Zero Trust Microsegmentation – assuring that even deep inside your environment, it is impossible to move laterally or poll for discovery and enumeration of other devices in the zone.
2. Multi-layer MFA: Making sure that just getting inside the environment does not grant access to other assets and data that are inside without further MFA challenges, slowing the progress of an attacker. 
3. Principle of Least Privilege: Assuring that no compromised identities in your environment have overly broad access to critical assets can slow down an attacker’s progress. If they only need to escalate privileges once to access your whole network, they can move quickly. If they have to compromise new credentials for each additional layer, zone, or even individual assets, their progress and ability to automate expansion is hindered.

The increasing exploitation of perimeter security devices reinforces the need for accelerated adoption of a zero trust security model with defense-in-depth as foundational security practice. Xage can deliver all of the above capabilities in a manner that both reduces the likelihood of a successful intrusion, and prevents subsequent attack steps to stop a breach even if the attacker gets in.

In addition, these vulnerabilities underscore the importance of security products themselves adhering to Secure By Design principles. Security vendors should be building in mitigations so that the products are more difficult to compromise, and that damage is mitigated at subsequent layers even if an attacker gains initial access.