Cyber Defense Advisors

Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack

Cisco on Wednesday said it has released updates to address an actively exploited security flaw in its Adaptive Security Appliance (ASA) that could lead to a denial-of-service (DoS) condition.

The vulnerability, tracked as CVE-2024-20481 (CVSS score: 5.8), affects the Remote Access VPN (RAVPN) service of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software.

Arising due to resource exhaustion, the security flaw could be exploited by unauthenticated, remote attackers to cause a DoS of the RAVPN service.

“An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device,” Cisco said in an advisory. “A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device.”

Restoration of the RAVPN service may require a reload of the device depending on the impact of the attack, the networking equipment company added.

While there are no direct workarounds to address CVE-2024-20481, Cisco said customers can follow recommendations to counter password spraying attacks –

Enable logging
Configure threat detection for remote access VPN services
Apply hardening measures such as disabling AAA authentication, and
Manually block connection attempts from unauthorized sources

It’s worth noting that the flaw has put to use in a malicious context by threat actors as part of a large-scale brute-force campaign targeting VPNs, and SSH services.

Earlier this April, Cisco Talos flagged a spike in brute-force attacks against Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services since March 18, 2024.

These attacks singled out a wide range of equipment from different companies, including Cisco, Check Point, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti.

“The brute-forcing attempts use generic usernames and valid usernames for specific organizations,” Talos noted at the time. “These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies.”

Cisco has also released patches to remediate three other critical flaws in FTD Software, Secure Firewall Management Center (FMC) Software, and Adaptive Security Appliance (ASA), respectively –

CVE-2024-20412 (CVSS score: 9.3) – A presence of static accounts with hard-coded passwords vulnerability in FTD Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series that could allow an unauthenticated, local attacker to access an affected system using static credentialsCVE-2024-20424 (CVSS score: 9.9) – An insufficient input validation of HTTP requests vulnerability in the web-based management interface of FMC Software that could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system as rootCVE-2024-20329 (CVSS score: 9.9) – An insufficient validation of user input vulnerability in the SSH subsystem of ASA that could allow an authenticated, remote attacker to execute operating system commands as root

With security vulnerabilities in networking devices emerging as a center point of nation-state exploitations, it’s essential that users move quickly to apply the latest fixes.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.