Urgent Solution by Cisco to Address ASA and FTD Software Vulnerability Currently Under Active Attack
Cisco has taken immediate action by releasing updates to counter an ongoing security vulnerability in its Adaptive Security Appliance (ASA) that has been actively exploited and could potentially result in a denial-of-service (DoS) scenario.
The vulnerability, identified as CVE-2024-20481 (CVSS score: 5.8), impacts the Remote Access VPN (RAVPN) service found in Cisco ASA and Cisco Firepower Threat Defense (FTD) Software.
Attributed to resource depletion, this security loophole could be taken advantage of by remote attackers without authentication to trigger a DoS within the RAVPN service.
“Exploiting this vulnerability involves inundating an impacted device with numerous VPN authentication requests,” mentioned Cisco in a recent advisory. “Successful exploitation could exhaust resources, resulting in a DoS within the RAVPN service on the affected device.”
If the attack’s impact is severe, users may need to reload the device to restore the RAVPN service, according to the networking equipment company.
Though there are no immediate workarounds available for CVE-2024-20481, Cisco has advised clients to consider several recommendations to counteract password spraying attacks:
- Switch on logging
- Set up threat detection for remote access VPN services
- Implement stringent measures like disabling AAA authentication
- Proactively block unauthorized connection attempts
It is crucial to acknowledge that cybercriminals have already exploited this vulnerability to run extensive brute-force operations targeting VPNs and SSH services.
Back in April, Cisco Talos highlighted a surge in brute-force assaults against Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services since March 18, 2024. These assaults have targeted a broad spectrum of devices from different manufacturers, including Cisco, Check Point, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti.
“These brute-force attempts typically involve using standard usernames or valid usernames associated with specific organizations,” Talos stated. “The attacks seem to originate from TOR exit nodes and various other anonymous tunnels and proxies.”
Furthermore, Cisco has issued patches to mend three other critical vulnerabilities in FTD Software, Secure Firewall Management Center (FMC) Software, and Adaptive Security Appliance (ASA), respectively:
- CVE-2024-20412 (CVSS score: 9.3) – Presence of static accounts with hardcoded passwords flaw in FTD Software for Cisco Firepower Series that could allow a local unauthenticated attacker to gain access using fixed credentials
- CVE-2024-20424 (CVSS score: 9.9) – Inadequate HTTP request input validation in the web-based management interface of FMC Software permitting remote authenticated attackers to run arbitrary commands as root
- CVE-2024-20329 (CVSS score: 9.9) – Lack of user input validation in the SSH subsystem of ASA enabling authenticated remote attackers to execute OS commands as root
Given the central role that security weaknesses in networking devices play in nation-state exploitation campaigns, it is imperative for users to promptly apply the latest updates.
About Author
