Cisco Systems released a critical advisory regarding a vulnerability in the Remote Access VPN (RAVPN) service associated with its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This vulnerability could allow an unauthenticated, remote attacker to execute a denial of service (DoS) attack against the RAVPN service, impacting organizations relying on these essential security tools.
The Common Vulnerability Scoring System (CVSS) score for this issue is 5.8. This vulnerability is identified by the CVE identifier CVE-2024-20481 and falls under the CWE classification of CWE-772.
Decoding Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software
The investigation into these Cisco vulnerabilities revealed that they stem from resource exhaustion. An attacker could exploit this weakness by sending many VPN authentication requests to an affected device.
Such an assault could exhaust system resources, resulting in a complete denial of service for the RAVPN service. In the event of a successful exploitation, the affected device may need to be rebooted to restore functionality. Importantly, services unrelated to the VPN remain unaffected by this vulnerability.
Cisco’s security research team recently highlighted the rising trend of brute-force attacks targeting VPNs and SSH services that leverage commonly used login credentials. These advisory highlights the critical need for better security measures in network environments.
Impacted Products
At the time of the advisory’s publication, Cisco ASA and FTD software running vulnerable releases with the RAVPN service enabled were at risk. Organizations using these products should verify their software version against the advisory’s guidelines to determine vulnerability status. Notably, there are currently no workarounds available to mitigate this specific vulnerability, making immediate action essential for affected users.
Cisco has confirmed that several of its products are not affected by the identified vulnerability. The products that are considered non-vulnerable include IOS Software, IOS XE Software, and Meraki products. Additionally, NX-OS Software and Secure Firewall Management Center (FMC) Software are also confirmed to be unaffected.
Organizations can check if the SSL VPN feature is enabled on their devices by executing the command: show running-config webvpn | include ^ enable. If the command returns output, it indicates that SSL VPN is active; conversely, no output confirms that it is not enabled and therefore not vulnerable. For example, if the command returns the output enable outside, it signifies that the SSL VPN feature is enabled, which may indicate potential vulnerability for the device.
Recommendations for Mitigation
Cisco emphasizes the importance of upgrading to the latest software versions to address a vulnerability, as there are no direct workarounds available. Organizations should regularly consult Cisco’s security advisories to stay informed and ensure they are using updated software.
When upgrading Cisco ASA or FTD devices, it’s crucial to check for sufficient memory and compatibility with current hardware. After upgrading, organizations should review the “Configure Threat Detection for VPN Services” section in the Cisco Secure Firewall ASA CLI Configuration Guide to enhance protections against various VPN-related attacks.
The advisory highlights the urgent need for organizations using Cisco Adaptive Security Appliance and Firepower Threat Defense Software to respond promptly to the identified vulnerability affecting the Remote Access VPN service. Proactive monitoring, timely upgrades, and strong security practices are essential for safeguarding network infrastructures. For further details, organizations can refer to the full advisory linked in the original document. It’s vital to implement recommended actions to mitigate risks and remain vigilant against online threats.
