Summary: Cisco has addressed multiple vulnerabilities in its security products, including an actively exploited Denial of Service (DoS) flaw tracked as CVE-2024-20481, which affects the Remote Access VPN service. The company has also identified other critical vulnerabilities but confirmed that they are not currently being exploited in the wild.
Threat Actor: Unknown | unknown
Victim: Cisco | Cisco
Key Point :
- The vulnerability CVE-2024-20481 allows unauthenticated remote attackers to cause a DoS of the RAVPN service by sending numerous authentication requests.
- Cisco has warned of ongoing password-spraying attacks targeting Remote Access VPN services on its devices.
- Other critical vulnerabilities addressed include command injection and static credential issues, but they are not actively exploited.
Cisco addressed multiple vulnerabilities in Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products, including an actively exploited flaw tracked as CVE-2024-20481.
The vulnerability CVE-2024-20481 (CVSS score of 5.8) is a Denial of Service (DoS) issue that impacts the Remote Access VPN (RAVPN) service of ASA and FTD.
An unauthenticated, remote attacker can exploit the vulnerability to cause a denial of service (DoS) of the RAVPN service.
“This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device.” reads the advisory. “Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service. Services that are not related to VPN are not affected.”
In April, Cisco Talos researchers detailed a large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials. Cisco warned customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
The company published a document containing recommendations against password spray attacks aimed at Remote Access VPN (RAVPN) services. The IT giant pointed out that the attacks are also targeting third-party VPN concentrators.
Now the company confirmed that the flaw CVE-2024-20481 is actively exploited in the wild.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of malicious use of the vulnerability that is described in this advisory.” continues the advisory.
Cisco also addressed the following three critical vulnerabilities:
- CVE-2024-20412: Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability;
- CVE-2024-20424: Cisco Secure Firewall Management Center Software Command Injection Vulnerability;
- CVE-2024-20329: Cisco Adaptive Security Appliance Software SSH Remote Command Injection Vulnerability.
None of the above vulnerabilities are actively exploited in the wild.
The complete list of vulnerabilities addressed by the IT giant is available in the security advisories page.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISCO ASA)