Cisco announced on Wednesday that it has released critical updates to address a significant vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This vulnerability, tracked as CVE-2024-20481, poses a serious risk as it is currently being exploited in the wild, potentially leading to a denial-of-service (DoS) condition for users.
The Vulnerability
The vulnerability specifically targets the Remote Access VPN (RAVPN) service within Cisco ASA and FTD software. Rated with a CVSS score of 5.8, it is categorized as a medium-severity flaw. The root cause of this vulnerability is resource exhaustion, allowing unauthenticated, remote attackers to exploit it. By sending an overwhelming number of VPN authentication requests to affected devices, attackers can deplete system resources, ultimately leading to a DoS condition for the RAVPN service.
As Cisco described in its advisory, “An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device.” If successful, this exploit could disrupt the RAVPN service, making it inaccessible to legitimate users. Restoration of the service may require a device reboot, further complicating recovery efforts for organizations under attack.
Recommendations
While there are no direct workarounds for addressing CVE-2024-20481, Cisco has provided several recommendations to help mitigate potential risks. These include:
Enable Logging: Keeping detailed logs can help track unusual activities and facilitate timely responses to attacks.
Configure Threat Detection: Implementing threat detection mechanisms for remote access VPN services can provide an added layer of security.
Apply Hardening Measures: Cisco advises disabling AAA (Authentication, Authorization, and Accounting) authentication to limit access to the VPN services.
Manually Block Unauthorized Connections: Proactively blocking connection attempts from known unauthorized sources can help prevent exploitation attempts.
The urgency of these measures is underscored by the fact that the vulnerability has been integrated into a broader malicious campaign. Threat actors have been leveraging this and other vulnerabilities in a large-scale brute-force attack targeting VPN and SSH services.
The Rise of Brute-Force Attacks
In April, Cisco Talos reported a notable increase in brute-force attacks against VPN services and SSH interfaces since mid-March 2024. These attacks, which are part of a widespread campaign, have targeted a variety of networking equipment from multiple vendors, including Cisco, Check Point, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti.
Talos observed that the brute-force attempts utilize both generic and organization-specific usernames, making them particularly insidious. “These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies,” they noted, highlighting the sophisticated tactics employed by cybercriminals.
Other Critical Vulnerabilities Addressed
In addition to CVE-2024-20481, Cisco has also released patches for three other critical vulnerabilities affecting its FTD Software, Secure Firewall Management Center (FMC) Software, and ASA. These vulnerabilities include:
CVE-2024-20412 (CVSS score: 9.3): This flaw involves the presence of static accounts with hard-coded passwords in FTD software for various Cisco Firepower series devices. An unauthenticated local attacker could exploit this to gain unauthorized access.
CVE-2024-20424 (CVSS score: 9.9): An insufficient input validation vulnerability in the web-based management interface of FMC software allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system as root.
CVE-2024-20329 (CVSS score: 9.9): This vulnerability in the SSH subsystem of ASA can be exploited by authenticated remote attackers, enabling them to execute operating system commands as root due to inadequate user input validation.
Conclusion
The rapid evolution of cyber threats necessitates that organizations remain vigilant and proactive in addressing vulnerabilities within their systems. With the ongoing exploitation of CVE-2024-20481 and other critical flaws, it is essential for users of Cisco ASA and FTD software to apply the latest updates and implement recommended security measures immediately.
Cybersecurity is a collective responsibility, and staying informed about emerging threats is vital for safeguarding organizational assets and sensitive information. As attackers continually adapt their strategies, so must the defenses that organizations put in place. Ensure your systems are updated, monitor for unusual activity, and remain informed about potential vulnerabilities to protect against the evolving landscape of cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Hardcoded AWS and Azure Credentials Found in Popular Mobile Apps