Cisco has added new security measures that considerably mitigate brute-force and password spray assaults on Cisco ASA and Firepower Risk Protection (FTD), serving to shield the community from breaches and decreasing useful resource utilization on gadgets.
Password spray and brute power assaults are related in that they each try to achieve unauthorized entry to a web-based account by guessing a password.
Nevertheless, password spray assaults will try and concurrently use the identical passwords throughout a number of accounts to evade defenses. In distinction, brute power assaults repeatedly goal a single account with completely different password makes an attempt.
In April, Cisco disclosed that menace actors had been conducting large brute-force assaults towards VPN accounts on quite a lot of networking gadgets, together with these from Cisco, Checkpoint, Fortinet, SonicWall, RD Internet Companies, Miktrotik, Draytek, and Ubiquiti.
Cisco warned that profitable assaults may result in unauthorized entry, account lockouts, and denial-of-service states relying on the focused surroundings.
These assaults allowed Cisco to uncover and repair a Denial of Service vulnerability, tracked as CVE-2024-20481, that exhausted assets on Cisco ASA and FTD gadgets when hit with most of these assaults.
New VPN brute-force assault safety options
After being hit with the assaults in April, Cisco launched new menace detection capabilities in Cisco ASA and Firewall Risk Protection (FTD) that considerably scale back the affect of brute-force and password spray assaults.
Whereas these options have been out there for some software program variations since June, they didn’t develop into out there for all variations till this month.
Sadly, when talking to some Cisco admins, they had been unaware of those new options. Nevertheless, those that had been, reported vital success in mitigating VPN brute-force assaults when the options are enabled.
“It worked so magically that the hourly 500K failures lowered to 170! over last night!,” a Cisco admin shared on Reddit.
These new options are a part of the menace detection service and block the next forms of assaults:
- Repeated failed authentication makes an attempt to distant entry VPN providers (brute-force username/password scanning assaults).
- Shopper initiation assaults, the place the attacker begins however doesn’t full the connection makes an attempt to a distant entry VPN headend repeated occasions from a single host.
- Connection makes an attempt to invalid distant entry VPN providers. That’s, when attackers strive to connect with particular built-in tunnel teams supposed solely for the inner functioning of the machine. Legit endpoints ought to by no means try to connect with these tunnel teams.
Cisco instructed BleepingComputer that consumer initiation assaults are normally performed to devour assets, doubtlessly placing the machine in a denial of service state.
To allow these new options, you have to be working a supported model of Cisco ASA and FTD, that are listed beneath:
ASA Software program:
- 9.16 model prepare -> supported from 9.16(4)67 and newer variations inside this particular prepare.
- 9.17 model prepare -> supported from 9.17(1)45 and newer variations inside this particular prepare.
- 9.18 model prepare -> supported from 9.18(4)40 and newer variations inside this particular prepare.
- 9.19 model prepare -> supported from 9.19(1).37 and newer variations inside this particular prepare.
- 9.20 model prepare -> supported from 9.20(3) and newer variations inside this particular prepare.
- 9.22 model prepare -> supported from 9.22(1.1) and any newer variations.
FTD Software program:
- 7.0 model prepare -> supported from 7.0.6.3 and newer variations inside this particular prepare.
- 7.2 model prepare -> supported from 7.2.9 and newer model inside this particular prepare.
- 7.4 model prepare -> supported from 7.4.2.1 and newer model inside this particular prepare.
- 7.6 model prepare -> supported from 7.6.0 and any newer variations.
In case you are working a help software program model, you should utilize the next instructions to allow the brand new options.
To forestall menace actors from making an attempt to connect with built-in tunnel teams that aren’t meant to normally be related to, you’ll enter this command:
threat-detection service invalid-vpn-access
To forestall repeated makes an attempt from the identical IP tackle to provoke an authentication request to the RAVPN service however by no means full it, you’ll use this command:
threat-detection service remote-access-client-initiations hold-down <minutes> threshold <depend>
Lastly, to forestall repeated authentication requests from the identical IP tackle, you’ll use this command:
threat-detection service remote-access-authentication hold-down <minutes> threshold <depend>
For each the remote-access-client-initiations and remote-access-authentication options, the minutes and depend variables have the next definitions:
- hold-down defines the interval after the final initiation try throughout which consecutive connection makes an attempt are counted. If the variety of consecutive connection makes an attempt meets the configured threshold inside this era, the attacker’s IPv4 tackle is shunned. You possibly can set this era between 1 and 1440 minutes.
- threshold is the variety of connection makes an attempt required inside the hold-down interval to set off a shun. You possibly can set the brink between 5 and 100.
If IP addresses make too many connection or authentication requests within the outlined interval, then the Cisco ASA and FTD software program will shun, or block, the IP tackle indefinitely till you manually take away it utilizing the next command:
no shun source_ip [ vlan vlan_id]
A Cisco ASA admin shared a script that may robotically take away all shunned IP addresses each seven days on Reddit.
An instance of an entire configuration shared by Cisco that permits all three options is:
threat-detection service invalid-vpn-access
threat-detection service remote-access-client-initiations hold-down 10 threshold 20
threat-detection service remote-access-authentication hold-down 10 threshold 20
An admin on Reddit additional famous that the consumer initiation protections precipitated some false positives of their surroundings however carried out higher after reverting to the defaults of hold-down 10 and threshold 20.
When BleepingComputer requested if there may be any draw back to using these options if RAVPN is enabled, they mentioned there could possibly be a possible for a efficiency affect.
“There is no expected “draw back,” but the potential for performance impact can exist when enabling new features based on existing device configuration and traffic load,” Cisco instructed BleepingComputer.
Total, in the event you focused by menace actors attempting to brute power your VPN accounts, it’s strongly advisable that you simply allow these options to mitigate these assaults as compromised VPN credentials are generally utilized to breach networks for ransomware assaults.
