Urgent Fix Released by Cisco to Address Vulnerability in ASA and FTD Software Currently Under Active Attack
Updates have been rolled out by Cisco to tackle a security vulnerability that is currently under attack in its Adaptive Security Appliance (ASA), which could potentially result in a denial-of-service (DoS) situation.
Affected by this vulnerability, labeled CVE-2024-20481 with a CVSS score of 5.8, is the Remote Access VPN (RAVPN) service offered by Cisco ASA and Cisco Firepower Threat Defense (FTD) Software.
This security flaw, stemming from resource depletion, could be abused by unauthenticated remote perpetrators to trigger a DoS concerning the RAVPN service.
“Exploitation of this flaw involves bombarding the affected device with numerous VPN authentication requests,” noted Cisco in a statement. “Successful exploitation could lead to a resource exhaustion scenario, leading to a DoS affecting the RAVPN service on the impaired device.”
To restore the RAVPN service, a system reload may be necessary based on the impact of the assault, as specified by the networking equipment company.
Although there are no direct solutions available to address CVE-2024-20481, customers can mitigate it by adhering to the outlined recommendations to combat password spray attacks –
- Activate logging mechanisms
- Configure threat detection for remote access VPN services
- Implement stringent measures like disabling AAA authentication
- Block connection attempts manually from unauthorized origins
It’s important to highlight that this vulnerability has been exploited by malicious entities in an attempt to launch a large-scale brute-force campaign targeting VPNs and SSH services.
In an incident from this April, Cisco Talos reported a surge in brute-force attacks against Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services since March 18, 2024. The targets of these attacks included various products from companies such as Cisco, Check Point, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti.
“These brute-force attacks are utilizing both generic and specific usernames associated with certain organizations,” Talos indicated. “The source of these assaults is primarily TOR exit nodes along with other anonymous tunnels and proxies.”
Furthermore, Cisco has issued patches to address three other critical vulnerabilities in FTD Software, Secure Firewall Management Center (FMC) Software, and Adaptive Security Appliance (ASA) as follows –
- CVE-2024-20412 (CVSS score: 9.3) – The presence of static accounts with pre-set passwords vulnerability in FTD Software integrated with Cisco Firepower Series, enabling a local attacker to access the system using static credentials
- CVE-2024-20424 (CVSS score: 9.9) – An inadequate validation of HTTP requests flaw in the web-based management interface of FMC Software, allowing an authenticated remote attacker to execute arbitrary commands on the root operating system
- CVE-2024-20329 (CVSS score: 9.9) – A weakness in user input validation in the SSH subsystem of ASA, facilitating an authenticated remote attacker to execute system commands as root
Considering that security vulnerabilities in network devices are increasingly exploited for nation-state purposes, it’s crucial for users to promptly apply the latest patches.
About Author
