Cisco fixes VPN DoS flaw found in password spray assaults

Cisco mounted a denial of service flaw in its Cisco ASA and Firepower Menace Protection (FTD) software program, which was found throughout large-scale brute pressure assaults in opposition to Cisco VPN units in April.

The flaw is tracked as CVE-2024-20481 and impacts all variations of Cisco ASA and Cisco FTD up till the newest variations of the software program.

“A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service,” reads the CVE-2024-20481 safety advisory.

“This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device.”

Cisco says that when this DDoS assault impacts a tool, a reload could also be required to revive RAVPN companies.

Whereas the Cisco Product Safety Incident Response Crew (PSIRT) says they’re conscious of the lively exploitation of this vulnerability, it was not used to focus on Cisco ASA units in DoS assaults.

As a substitute, the flaw was found as a part of large-scale brute-force password assaults in April in opposition to VPN companies on all kinds of networking {hardware}, together with:

  • Cisco Safe Firewall VPN
  • Checkpoint VPN
  • Fortinet VPN
  • SonicWall VPN
  • RD Net Companies
  • Miktrotik
  • Draytek
  • Ubiquiti

These assaults have been designed to reap legitimate VPN credentials for company networks, which might then be bought on darkish internet markets, to ransomware gangs for preliminary entry, or used to breach networks in data-theft assaults.

Nonetheless, because of the massive variety of sequential and fast authentication requests made in opposition to units, the attackers unwittingly used up the sources on the machine, inflicting a denial of service state on the Cisco ASA and FTD units.

The bug is assessed as a CWE-772 vulnerability, which signifies that the software program was not correctly releasing allotted sources, resembling reminiscence, throughout VPN authentication makes an attempt.

Cisco says that this flaw can solely be exploited if the RAVPN service is enabled.

Admins can verify if SSL VPN is enabled on a tool by issuing the next command:


firewall# present running-config webvpn | embody ^ allow

If there isn’t any output, then the RAVPN service isn’t enabled.

Different Cisco vulnerabilities 

Cisco has additionally issued 37 safety advisories for 42 vulnerabilities on varied of its merchandise, together with three critical-severity flaws impacting Firepower Menace Protection (FTD), Safe Firewall Administration Middle (FMC), and Adaptive Safety Equipment (ASA).

Though not one of the flaws have been noticed to be actively exploited within the wild, their nature and severity ought to warrant instant patching by impacted system admins.

A abstract of the issues is given beneath:

  • CVE-2024-20424: Command injection flaw within the web-based administration interface of Cisco FMC software program, brought on by improper validation of HTTP requests. It permits authenticated distant attackers with a minimum of ‘Safety Analyst’ privileges to execute arbitrary instructions on the underlying OS with root privileges. (CVSS v3.1 rating: 9.9)
  • CVE-2024-20329: Distant command injection vulnerability in Cisco ASA brought on by inadequate person enter validation in distant CLI instructions over SSH. It permits authenticated distant attackers to execute root-level OS instructions. (CVSS v3.1 rating: 9.9)
  • CVE-2024-20412: Static credentials in Firepower 1000, 2100, 3100, and 4200 Sequence units, permitting native attackers unrestricted entry to delicate information, in addition to configuration modification. (CVSS v3.1 rating: 9.3)

CVE-2024-20424 impacts any Cisco product working a susceptible model of FMC no matter machine configuration. The seller has given no workarounds for this flaw.

CVE-2024-20329 impacts ASA releases which have the CiscoSSH stack enabled and SSH entry allowed on a minimum of one interface.

A proposed workaround for this flaw is to disable the susceptible CiscoSSH stack and allow the native SSH stack by utilizing the command: "no ssh stack ciscossh"

This can disconnect lively SSH periods, and modifications have to be saved to make it persistent throughout reboots.

CVE-2024-20412 impacts FTD Software program variations 7.1 by means of 7.4 with a VDB launch of 387 or earlier on Firepower 1000, 2100, 3100, and 4200 Sequence units.

Cisco says there is a workaround for this downside out there to impacted shoppers by means of its Technical Help Middle.

For CVE-2024-20412, the software program vendor has additionally included indicators of exploitation within the advisory to assist system directors detect malicious exercise.

It is strongly recommended to make use of this command to verify to be used of static credentials: 


zgrep -E "Accepted password for (csm_processes|report|sftop10user|Sourcefire|SRU)"/ngfw/var/log/messages*

If any profitable login makes an attempt are listed, it is likely to be a sign of exploitation. If no output is returned, the default credentials weren’t used through the log retention interval.

No exploitation detection recommendation was offered for CVE-2024-20424 and CVE-2024-20329, however trying on the logs for uncommon/irregular occasions is all the time a stable methodology for locating suspicious exercise.

Updates for all three of the issues can be found by means of the Cisco Software program Checker instrument.

Recent articles

Andrew Tate’s College Breach: 1 Million Person Information and Chats Leaked

Andrew Tate’s “The Real World” platform has been breached,...

North Korean Hackers Steal $10M with AI-Pushed Scams and Malware on LinkedIn

Nov 23, 2024Ravie LakshmananSynthetic Intelligence / Cryptocurrency The North Korea-linked...