Summary:
Cisco has released security updates to address an actively exploited flaw impacting the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Tracked as CVE-2024-20481, a successful exploitation could enable an unauthenticated, remote attacker to cause a denial of service of the RAVPN service.

"This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device," states Cisco.

Since at least March 18, 2024, the flaw has been exploited as part of a large-scale brute-force campaign targeting VPNs and SSH services. This campaign, detailed in a blog post by Cisco Talos on April 16, 2024, has specifically targeted various vendor devices, including but not limited to Cisco Secure Firewall VPN, Check Point VPN, Fortinet VPN, SonicWall VPN, RD Web Services, MikroTik, DrayTek, and Ubiquiti. Notably, these brute-force attacks are indiscriminate, affecting multiple regions and industries, and utilize both generic and valid usernames associated with specific organizations. Researchers have observed that these attacks have originated from Tor exit nodes, along with a variety of other anonymizing tunnels and proxies.

Security Officer Comments:
According to Cisco, services not related to VPN are not affected. Below is a list of products that are not vulnerable to CVE-2024-20481:

• IOS Software
• IOS XE Software
• Meraki products
• NX-OS Software
• Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software

Overall, the successful exploitation of such a flaw could allow actors to gain unauthorized network access and move laterally across systems within that network. Given the nature of brute-force attacks, this could lead to account lockouts and even denial of service conditions due to a large influx of authentication traffic.

Suggested Corrections:
A list of usernames and passwords as well as IP addresses associated with these attacks have been uploaded to a GitHub repository and can be accessed here.

While there are no workarounds for CVE-2024-20841, Cisco has provided a set of mitigations that can be implemented for customers who are experiencing password spray attacks and have not upgraded to a fixed release:

• Enable logging
• Configure threat detection for remote access VPN services
• Apply hardening measures such as disabling AAA authentication, and
• Manually block connection attempts from unauthorized sources

The vendor also recommends reviewing its Configure Threat Detection for VPN Services section of the Cisco Secure Firewall ASA Firewall CLI Configuration Guide, which provides guidance on enabling protections from RAVPN login authentication attacks, client initiation attacks, and attempts to connect to an invalid VPN service. This documentation can be accessed here.

Link(s):
https://thehackernews.com/2024/10/cisco-issues-urgent-fix-for-asa-and-ftd.html