How to Protect Your Cisco Secure Endpoint from CVE-2024-20290- A High Severity Denial of Service Vulnerability?

Cisco recently disclosed a high-severity denial of service (DoS) vulnerability, tracked as CVE-2024-20290, impacting its Secure Endpoint platform. According to their security advisory published on February 7th, 2024, the vulnerability stems from flawed input validation in the ClamAV antivirus engine used by Secure Endpoint. Specifically, an incorrect check for end-of-string values when parsing OLE2 files in ClamAV can result in a heap buffer over-read.

By crafting malicious OLE2 files and submitting them to a Secure Endpoint protected endpoint, an unauthenticated remote attacker could trigger excessive resource consumption in the ClamAV scanning process on Windows platforms. This causes Secure Endpoint services to terminate, denying service availability to legitimate users. With a CVSS score of 7.5 out of 10, it is critical for businesses using Cisco Secure Endpoint to apply the necessary software update as soon as possible to mitigate potential denial of service attacks.

We published this blog post to get short and precise information about the the flaw CVE-2024-20290. And how you can protect your Cisco Secure Endpoint solution from being the victim of the DoS vulnerability.

A Short Introduction to the Cisco Secure Endpoint Platform

Cisco Secure Endpoint is an advanced endpoint security solution offered by Cisco. It provides comprehensive protection, detection, response, and access capabilities to safeguard endpoints across an organization.

It delivers advanced endpoint protection capabilities to stop threats before they compromise business operations. It provides a cloud-native solution designed to speed up detection, response, and recovery from cyber attacks targeting endpoints.

Core capabilities offered by Secure Endpoint include:

  • Powerful endpoint detection and response (EDR) either natively built-in or completely managed, combined with threat hunting and integrated vulnerability management

  • USB device control with deep visibility into blocked devices during investigations

  • Integrated extended detection and response (XDR) features like unified views, simplified incident management, and automated playbooks

  • Proactive threat hunting powered by Talos security experts that maps to the MITRE ATT&CK framework

See also  Step-By-Step Procedure To Install SUSE Linux On VMWare Workstation

Other key features include the ability to isolate infected hosts with one-click to automate response actions as well as leverage Talos threat intelligence to block threats faster. Secure Endpoint establishes protection, detection, response, and user access controls to safeguard endpoints across control points. It is available in Essentials, Advantage, and Premier packages suited for varying security needs.

By stopping threats before they result in compromises, Secure Endpoint reduces incident response times helping businesses boost resilience.

Summary of CVE-2024-20290

Vulnerability Details

  • CVE ID: CVE-2024-20290

  • Description: ClamAV OLE2 File Format Parsing Denial of Service Vulnerability

  • CVSS Score: 7.5

  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

This denial of service vulnerability stems from flawed input validation in the OLE2 file parser of the ClamAV antivirus engine used by Cisco Secure Endpoint. Specifically, an incorrect check for end-of-string values during OLE2 file scanning can result in a heap buffer over-read.

By crafting malicious OLE2 files and submitting them to a Secure Endpoint protected endpoint, an attacker could trigger excessive resource consumption in the ClamAV scanning process on Windows platforms. This causes the ClamAV process to enter a loop condition, consuming available CPU resources, delaying or preventing further scanning operations.

Successful exploitation of this flaw enables an unauthenticated remote attacker to cause a denial of service condition on Windows-based Cisco Secure Endpoint clients, denying service availability to legitimate users. Cisco has assigned it a high severity rating due to the significant availability impact.

Products Vulnerable

The following Cisco software platforms running ClamAV are affected by this high severity vulnerability:

  • Secure Endpoint Connector for Windows – Versions 7.5 and earlier

  • Secure Endpoint Private Cloud – Versions 3.7 and earlier

The vulnerability stems from the ClamAV antivirus engine used by Cisco Secure Endpoint software on endpoints. Specifically, Cisco Secure Endpoint Connector clients distributed from Cisco’s Secure Endpoint Private Cloud platform are vulnerable.

Cisco has added the products safe from CVE-2024-20290 denial of service vulnerability in ClamAV in its advisory. You could ignore considering these products in your mitigation plan.

How to Protect Your Cisco Secure Endpoint from CVE-2024-20290?

Cisco has released software updates addressing this denial of service vulnerability in impacted Secure Endpoint products. Customers are advised to upgrade to the following fixed versions:

  • Secure Endpoint Connector for Windows – Version 7.5.17 released in February 2024

  • Secure Endpoint Private Cloud – Version 3.8.0 with updated connectors

These releases contain the necessary updates to ClamAV to address CVE-2024-20290. See the ClamAV blog for detailed information about the ClamAV releases.

For Secure Endpoint Connector clients, customers leveraging Cisco’s auto-update capability will automatically receive these patches per their defined policies. Organizations without auto-update enabled should proactively test and deploy the updated versions.

As per Cisco’s update recommendations, customers should review device memory and supported hardware/software configurations before upgrading to minimize disruption. Impacted organizations should prioritize upgrading and testing these critical Secure Endpoint security updates to mitigate potential denial of service attacks.

Currently, there are no other workarounds available for this ClamAV vulnerability apart from applying the vendor-provided software update.

Tips to Upgrade Your Cisco Secure Endpoint

There are two primary ways to upgrade your Secure Endpoint Connector:

1. Automatic Update via Cisco Secure Endpoint Console

  • Best for: Managed environments where you control the update process centrally.

  • Steps:

    1. Log in to the Cisco Secure Endpoint administration console.

    2. Navigate to the Management tab.

    3. Locate the Downloads page.

    4. Select the desired connector version for the group policy you want to upgrade.

    5. The connectors will update automatically on endpoints within that group.

2. Manual Update

  • Best for: Individual endpoints or when you need more direct control.

  • Steps:

    1. Obtain the latest installer from the Cisco Secure Endpoint console or the Cisco Support website.

    2. For existing installations: Typically, you can run the new installer directly over the old version to upgrade.

    3. Special cases:

      • In some cases, you may need to uninstall the older version first.

      • Refer to Cisco documentation for specific instructions if needed.

Important Considerations

Don’t skip these resources to refer before upgrade

Bottom Line

This denial of service vulnerability in the ClamAV antivirus engine integrated with Cisco Secure Endpoint could allow attackers to carry out availability attacks against protected endpoints. Successful exploitation can lead to outages that disrupt business operations and productivity.

With a CVSS severity score of 7.5 out of 10, Cisco customers using impacted Secure Endpoint software releases should treat this as a high-priority patch. Proactively testing and deploying the updated releases containing the ClamAV fixes is crucial to mitigate this vulnerability. This will prevent potential denial of service conditions that could affect legitimate users. Regularly applying the latest security updates is vital to boost the resilience of security solutions against emerging threats.

Leave a Reply

Your email address will not be published. Required fields are marked *