Article Details

Cisco fixes VPN DoS flaw discovered in password spray attacks. Cisco fixed a denial of service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software, which was discovered during large-scale brute force attacks against Cisco VPN devices in April. The flaw is tracked as CVE-2024-20481 and impacts all versions of Cisco ASA and Cisco FTD up until the latest versions of the software. "A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service," reads the CVE-2024-20481 security advisory. "This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device." Cisco says that once this DDoS attack impacts a device, a reload may be required to restore RAVPN services. While the Cisco Product Security Incident Response Team (PSIRT) says they are aware of the active exploitation of this vulnerability, it was not used to target Cisco ASA devices in DoS attacks. Instead, the flaw was discovered as part of large-scale brute-force password attacks in April against VPN services on a wide variety of networking hardware, including: These attacks were designed to harvest valid VPN credentials for corporate networks, which can then be sold on dark web markets, to ransomware gangs for initial access, or used to breach networks in data-theft attacks. However, due to the large number of sequential and rapid authentication requests made against devices, the attackers unwittingly used up the resources on the device, causing a denial of service state on the Cisco ASA and FTD devices. Cisco says that this flaw can only be exploited if the RAVPN service is enabled. Admins can check if SSL VPN is enabled on a device by issuing the following command: If there is no output, then the RAVPN service is not enabled. Other Cisco vulnerabilities  Cisco has also issued 37 security advisories for 42 vulnerabilities on various of its products, including three critical-severity flaws impacting Firepower Threat Defense (FTD), Secure Firewall Management Center (FMC), and Adaptive Security Appliance (ASA). Although none of the flaws have been observed to be actively exploited in the wild, their nature and severity should warrant immediate patching by impacted system admins. A summary of the flaws is given below: CVE-2024-20424 impacts any Cisco product running a vulnerable version of FMC regardless of device configuration. The vendor has given no workarounds for this flaw. CVE-2024-20329 impacts ASA releases that have the CiscoSSH stack enabled and SSH access allowed on at least one interface. A proposed workaround for this flaw is to disable the vulnerable CiscoSSH stack and enable the native SSH stack by using the command: "no ssh stack ciscossh" This will disconnect active SSH sessions, and changes must be saved to make it persistent across reboots. CVE-2024-20412 impacts FTD Software versions 7.1 through 7.4 with a VDB release of 387 or earlier on Firepower 1000, 2100, 3100, and 4200 Series devices. Cisco says there's a workaround for this problem available to impacted clients through its Technical Assistance Center. For CVE-2024-20412, the software vendor has also included signs of exploitation in the advisory to help system administrators detect malicious activity. It is recommended to use this command to check for use of static credentials:  If any successful login attempts are listed, it might be an indication of exploitation. If no output is returned, the default credentials weren't used during the log retention period. No exploitation detection advice was provided for CVE-2024-20424 and CVE-2024-20329, but looking at the logs for unusual/abnormal events is always a solid method for finding suspicious activity. Updates for all three of the flaws are available through the Cisco Software Checker tool.