Cisco ASA and FTD Are Being Actively Exploited, Urgent Patch Released for CVE-2024-20481
Cisco is warning users of a new flaw in the Remote Access VPN (RAVPN) service of its Adaptive Security Appliance and Firepower Threat Defense Software. CVE-2024-20481 has a CVSS score of 5.8, which can lead to a denial-of-service (DoS) condition. An unauthenticated, remote attacker could exploit thi...
Cisco is warning users of a new flaw in the Remote Access VPN (RAVPN) service of its Adaptive Security Appliance and Firepower Threat Defense Software. CVE-2024-20481 has a CVSS score of 5.8, which can lead to a denial-of-service (DoS) condition. An unauthenticated, remote attacker could exploit this vulnerability by overwhelming the affected device with a high volume of VPN authentication requests. A successful attack might lead to resource exhaustion on the targeted device.
Technical Details
While no specific information regarding this flaw has been made public, Cisco has detailed indicators of compromise in their advisory that might help users determine if they are experiencing a brute-force password spray attack. These include:
- Repeated log messages indicating authentication rejection that appear frequently and in high-volume
- An increasing number of authentication rejects after using the show aaa-server command on the command line repeatedly
Products Affected
- Cisco Adaptive Security Appliance (ASA)
- Cisco Firepower Threat Defense (FTD)
Impact
Threat actors actively exploited this bug as part of a massive brute-force campaign between March and April 2024. According to Cisco Talos, the brute-force attacks leverage both generic usernames and valid usernames specific to targeted organizations. These attempts predominantly originate from TOR exit nodes and other anonymizing proxies and tunnels.
Solutions and Mitigations
Cisco has released patches for CVE-2024-20481. There are currently no known workarounds for this flaw, but Cisco recommends that users take the following steps against password-spraying attacks:
- Enable logging
- Set up threat detection for remote access VPN services
- Implement hardening practices, like disabling AAA authentication
- Manually block unauthorized connection attempts
Restoring the RAVPN service may require reloading the device, depending on the severity of the attack.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
