Table of Contents
February 23, 2024
|7m
How to Protect Your Cisco Secure Endpoint from CVE-2024-20290- A High Severity Denial of Service Vulnerability?
Cisco recently disclosed a high-severity denial of service (DoS) vulnerability, tracked as CVE-2024-20290, impacting its Secure Endpoint platform. According to their security advisory published on February 7th, 2024, the vulnerability stems from flawed input validation in the ClamAV antivirus engine used by Secure Endpoint. Specifically, an incorrect check for end-of-string values when parsing OLE2 files in ClamAV can result in a heap buffer over-read.
By crafting malicious OLE2 files and submitting them to a Secure Endpoint protected endpoint, an unauthenticated remote attacker could trigger excessive resource consumption in the ClamAV scanning process on Windows platforms. This causes Secure Endpoint services to terminate, denying service availability to legitimate users. With a CVSS score of 7.5 out of 10, it is critical for businesses using Cisco Secure Endpoint to apply the necessary software update as soon as possible to mitigate potential denial of service attacks.
We published this blog post to get short and precise information about the the flaw CVE-2024-20290. And how you can protect your Cisco Secure Endpoint solution from being the victim of the DoS vulnerability.
A Short Introduction to the Cisco Secure Endpoint Platform
Cisco Secure Endpoint is an advanced endpoint security solution offered by Cisco. It provides comprehensive protection, detection, response, and access capabilities to safeguard endpoints across an organization.
It delivers advanced endpoint protection capabilities to stop threats before they compromise business operations. It provides a cloud-native solution designed to speed up detection, response, and recovery from cyber attacks targeting endpoints.
Core capabilities offered by Secure Endpoint include:
Powerful endpoint detection and response (EDR) either natively built-in or completely managed, combined with threat hunting and integrated vulnerability management
USB device control with deep visibility into blocked devices during investigations
Integrated extended detection and response (XDR) features like unified views, simplified incident management, and automated playbooks
Proactive threat hunting powered by Talos security experts that maps to the MITRE ATT&CK framework
Other key features include the ability to isolate infected hosts with one-click to automate response actions as well as leverage Talos threat intelligence to block threats faster. Secure Endpoint establishes protection, detection, response, and user access controls to safeguard endpoints across control points. It is available in Essentials, Advantage, and Premier packages suited for varying security needs.
By stopping threats before they result in compromises, Secure Endpoint reduces incident response times helping businesses boost resilience.
Summary of CVE-2024-20290
Vulnerability Details
CVE ID: CVE-2024-20290
Description: ClamAV OLE2 File Format Parsing Denial of Service Vulnerability
CVSS Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
This denial of service vulnerability stems from flawed input validation in the OLE2 file parser of the ClamAV antivirus engine used by Cisco Secure Endpoint. Specifically, an incorrect check for end-of-string values during OLE2 file scanning can result in a heap buffer over-read.
By crafting malicious OLE2 files and submitting them to a Secure Endpoint protected endpoint, an attacker could trigger excessive resource consumption in the ClamAV scanning process on Windows platforms. This causes the ClamAV process to enter a loop condition, consuming available CPU resources, delaying or preventing further scanning operations.
Successful exploitation of this flaw enables an unauthenticated remote attacker to cause a denial of service condition on Windows-based Cisco Secure Endpoint clients, denying service availability to legitimate users. Cisco has assigned it a high severity rating due to the significant availability impact.
Products Vulnerable
The following Cisco software platforms running ClamAV are affected by this high severity vulnerability:
Secure Endpoint Connector for Windows - Versions 7.5 and earlier
Secure Endpoint Private Cloud – Versions 3.7 and earlier
The vulnerability stems from the ClamAV antivirus engine used by Cisco Secure Endpoint software on endpoints. Specifically, Cisco Secure Endpoint Connector clients distributed from Cisco's Secure Endpoint Private Cloud platform are vulnerable.
Cisco has added the products safe from CVE-2024-20290 denial of service vulnerability in ClamAV in its advisory. You could ignore considering these products in your mitigation plan.
Firepower Threat Defense (FTD) Software
Secure Email Gateway
Secure Endpoint Connector for Linux
Secure Endpoint Connector for Mac
Secure Web Appliance
How to Protect Your Cisco Secure Endpoint from CVE-2024-20290?
Cisco has released software updates addressing this denial of service vulnerability in impacted Secure Endpoint products. Customers are advised to upgrade to the following fixed versions:
Secure Endpoint Connector for Windows – Version 7.5.17 released in February 2024
Secure Endpoint Private Cloud – Version 3.8.0 with updated connectors
These releases contain the necessary updates to ClamAV to address CVE-2024-20290. See the ClamAV blog for detailed information about the ClamAV releases.
For Secure Endpoint Connector clients, customers leveraging Cisco's auto-update capability will automatically receive these patches per their defined policies. Organizations without auto-update enabled should proactively test and deploy the updated versions.
As per Cisco’s update recommendations, customers should review device memory and supported hardware/software configurations before upgrading to minimize disruption. Impacted organizations should prioritize upgrading and testing these critical Secure Endpoint security updates to mitigate potential denial of service attacks.
Currently, there are no other workarounds available for this ClamAV vulnerability apart from applying the vendor-provided software update.
Tips to Upgrade Your Cisco Secure Endpoint
There are two primary ways to upgrade your Secure Endpoint Connector:
1. Automatic Update via Cisco Secure Endpoint Console
Best for: Managed environments where you control the update process centrally.
Steps:
Log in to the Cisco Secure Endpoint administration console.
Navigate to the Management tab.
Locate the Downloads page.
Select the desired connector version for the group policy you want to upgrade.
The connectors will update automatically on endpoints within that group.
2. Manual Update
Best for: Individual endpoints or when you need more direct control.
Steps:
Obtain the latest installer from the Cisco Secure Endpoint console or the Cisco Support website.
For existing installations: Typically, you can run the new installer directly over the old version to upgrade.
Special cases:
In some cases, you may need to uninstall the older version first.
Refer to Cisco documentation for specific instructions if needed.
Important Considerations
Check compatibility: Always make sure the new connector version is compatible with the operating system running on your endpoints. You can find a compatibility matrix on Cisco's support website.
Testing: For large deployments, test the upgrade in a smaller group of endpoints before rolling it out widely. This helps identify potential issues.
Backup: As a general precaution, back up critical data before any major software updates.
Don't skip these resources to refer before upgrade
Cisco Secure Endpoint Documentation:https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/tsd-products-support-install-and-upgrade-technotes-list.html
Looking Point Blog:https://www.lookingpoint.com/blog/updating-cisco-security-endpoints-version
Bottom Line
This denial of service vulnerability in the ClamAV antivirus engine integrated with Cisco Secure Endpoint could allow attackers to carry out availability attacks against protected endpoints. Successful exploitation can lead to outages that disrupt business operations and productivity.
With a CVSS severity score of 7.5 out of 10, Cisco customers using impacted Secure Endpoint software releases should treat this as a high-priority patch. Proactively testing and deploying the updated releases containing the ClamAV fixes is crucial to mitigate this vulnerability. This will prevent potential denial of service conditions that could affect legitimate users. Regularly applying the latest security updates is vital to boost the resilience of security solutions against emerging threats.
We hope this post helps you know how to protect your Cisco Secure Endpoint from CVE-2024-20290- a high-severity Denial of Service Vulnerability. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- November 20, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- November 20, 2024
