ED 2503 Identify and Mitigate Potential Compromise of Cisco Devices CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppNOTICE Due to the lapse in federal funding this website will not be actively managed ppFree Cyber ServicesCybersecurity Awareness MonthSecure by design Shields UpReport A Cyber Issue ppSearchppppNOTICE Due to the lapse in federal funding this website will not be actively managed ppFree Cyber ServicesCybersecurity Awareness MonthSecure by design Shields UpReport A Cyber Issue ppThis page contains a webfriendly version of the Cybersecurity and Infrastructure Security Agencys Emergency Directive 2503 Identify and Mitigate Potential Compromise of Cisco DevicesppSection 3553h of title 44 US Code authorizes the Secretary of Homeland Security in response to a known or reasonably suspected information security threat vulnerability or incident that represents a substantial threat to the information security of an agency to issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system including such systems used or operated by another entity on behalf of an agency that collects processes stores transmits disseminates or otherwise maintains agency information for the purpose of protecting the information system from or mitigating an information security threat 44 USC 3553h12 Section 22053 of the Homeland Security Act of 2002 as amended delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency 6 USC 6553 Federal agencies are required to comply with these directives 44 USC 3554 a1Bv These directives do not apply to statutorily defined national security systems nor to systems operated by the Department of War or the Intelligence Community 44 USC 3553d e2 e3 h1B ppCISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances ASA The campaign is widespread and involves exploiting zeroday vulnerabilities to gain unauthenticated remote code execution on ASAs as well as manipulating readonly memory ROM to persist through reboot and system upgrade This activity presents a significant risk to victim networks Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024 These zeroday vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower Firepower appliances Secure Boot would detect the identified manipulation of the ROM ppCISA has assessed that the following CVEs pose an unacceptable risk to federal information systemsppCISA mandates that these vulnerabilities be addressed immediately through the actions outlined in this DirectiveppCISA is directing agencies to account for all Cisco ASA and Firepower devices collect forensics and assess compromise via CISAprovided procedures and tools disconnect endofsupport devices and upgrade devices that will remain in service These actions are directed to address the immediate risk assess compromise and inform analysis of the ongoing threat actor campaign ppThis Emergency Directive requires agencies to take the following actionsppFor all publicfacing Cisco ASA hardware appliancesppIf the result is No Compromise DetectedppFor all ASAv and Firepower FTDppAll agencies regardless of the results of requirement 2 mustppThese required actions apply to agency assets in any federal information system including an information system used or operated by another entity on behalf of an agency that collects processes stores transmits disseminates or otherwise maintains agency information ppFor federal information systems hosted in thirdparty environments each agency is responsible for maintaining an inventory of its information systems hosted in those environments FedRAMP Authorized or otherwise and obtaining status updates pertaining to and to ensure compliance with this Directive Agencies should work through the FedRAMP program office to obtain these updates for FedRAMPauthorized cloud service providers and work directly with service providers that are not FedRAMPauthorized ppAll other provisions specified in this Directive remain applicableppNote entities outside of the Federal Executive Branch that wish to perform the actions outlined in this section may follow the same CISA instructions to collect and upload a core dump file to CISA for analysis ppVisit httpswwwcisagovnewseventsdirectives or contact the following forppFor further instructions on how to perform a core dump please visit httpscisagovnewseventsdirectivessupplementaldirectioned2503coredumpandhuntinstructionsppFor eviction guidance please visit httpswwwcisagovevictionstrategiestoolcreatefromtemplatep
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppNOTICE Due to the lapse in federal funding this website will not be actively managed ppFree Cyber ServicesCybersecurity Awareness MonthSecure by design Shields UpReport A Cyber Issue ppSearchppppNOTICE Due to the lapse in federal funding this website will not be actively managed ppFree Cyber ServicesCybersecurity Awareness MonthSecure by design Shields UpReport A Cyber Issue ppThis page contains a webfriendly version of the Cybersecurity and Infrastructure Security Agencys Emergency Directive 2503 Identify and Mitigate Potential Compromise of Cisco DevicesppSection 3553h of title 44 US Code authorizes the Secretary of Homeland Security in response to a known or reasonably suspected information security threat vulnerability or incident that represents a substantial threat to the information security of an agency to issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system including such systems used or operated by another entity on behalf of an agency that collects processes stores transmits disseminates or otherwise maintains agency information for the purpose of protecting the information system from or mitigating an information security threat 44 USC 3553h12 Section 22053 of the Homeland Security Act of 2002 as amended delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency 6 USC 6553 Federal agencies are required to comply with these directives 44 USC 3554 a1Bv These directives do not apply to statutorily defined national security systems nor to systems operated by the Department of War or the Intelligence Community 44 USC 3553d e2 e3 h1B ppCISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances ASA The campaign is widespread and involves exploiting zeroday vulnerabilities to gain unauthenticated remote code execution on ASAs as well as manipulating readonly memory ROM to persist through reboot and system upgrade This activity presents a significant risk to victim networks Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024 These zeroday vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower Firepower appliances Secure Boot would detect the identified manipulation of the ROM ppCISA has assessed that the following CVEs pose an unacceptable risk to federal information systemsppCISA mandates that these vulnerabilities be addressed immediately through the actions outlined in this DirectiveppCISA is directing agencies to account for all Cisco ASA and Firepower devices collect forensics and assess compromise via CISAprovided procedures and tools disconnect endofsupport devices and upgrade devices that will remain in service These actions are directed to address the immediate risk assess compromise and inform analysis of the ongoing threat actor campaign ppThis Emergency Directive requires agencies to take the following actionsppFor all publicfacing Cisco ASA hardware appliancesppIf the result is No Compromise DetectedppFor all ASAv and Firepower FTDppAll agencies regardless of the results of requirement 2 mustppThese required actions apply to agency assets in any federal information system including an information system used or operated by another entity on behalf of an agency that collects processes stores transmits disseminates or otherwise maintains agency information ppFor federal information systems hosted in thirdparty environments each agency is responsible for maintaining an inventory of its information systems hosted in those environments FedRAMP Authorized or otherwise and obtaining status updates pertaining to and to ensure compliance with this Directive Agencies should work through the FedRAMP program office to obtain these updates for FedRAMPauthorized cloud service providers and work directly with service providers that are not FedRAMPauthorized ppAll other provisions specified in this Directive remain applicableppNote entities outside of the Federal Executive Branch that wish to perform the actions outlined in this section may follow the same CISA instructions to collect and upload a core dump file to CISA for analysis ppVisit httpswwwcisagovnewseventsdirectives or contact the following forppFor further instructions on how to perform a core dump please visit httpscisagovnewseventsdirectivessupplementaldirectioned2503coredumpandhuntinstructionsppFor eviction guidance please visit httpswwwcisagovevictionstrategiestoolcreatefromtemplatep
