logo

Cisco fixes VPN DoS flaw discovered in password spray attacks

Cisco

Cisco fixed a denial of service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software, which was discovered during large-scale brute force attacks against Cisco VPN devices in April.

The flaw is tracked as CVE-2024-20481 and impacts all versions of Cisco ASA and Cisco FTD up until the latest versions of the software.

"A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service," reads the CVE-2024-20481 security advisory.

"This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device."

Cisco says that once this DDoS attack impacts a device, a reload may be required to restore RAVPN services.

While the Cisco Product Security Incident Response Team (PSIRT) says they are aware of the active exploitation of this vulnerability, it was not used to target Cisco ASA devices in DoS attacks.

Instead, the flaw was discovered as part of large-scale brute-force password attacks in April against VPN services on a wide variety of networking hardware, including:

  • Cisco Secure Firewall VPN
  • Checkpoint VPN
  • Fortinet VPN
  • SonicWall VPN
  • RD Web Services
  • Miktrotik
  • Draytek
  • Ubiquiti

These attacks were designed to harvest valid VPN credentials for corporate networks, which can then be sold on dark web markets, to ransomware gangs for initial access, or used to breach networks in data-theft attacks.

However, due to the large number of sequential and rapid authentication requests made against devices, the attackers unwittingly used up the resources on the device, causing a denial of service state on the Cisco ASA and FTD devices.

Cisco says that this flaw can only be exploited if the RAVPN service is enabled.

Admins can check if SSL VPN is enabled on a device by issuing the following command:

firewall# show running-config webvpn | include ^ enable

If there is no output, then the RAVPN service is not enabled.

Other Cisco vulnerabilities 

Cisco has also issued 37 security advisories for 42 vulnerabilities on various of its products, including three critical-severity flaws impacting Firepower Threat Defense (FTD), Secure Firewall Management Center (FMC), and Adaptive Security Appliance (ASA).

Although none of the flaws have been observed to be actively exploited in the wild, their nature and severity should warrant immediate patching by impacted system admins.

A summary of the flaws is given below:

  • CVE-2024-20424: Command injection flaw in the web-based management interface of Cisco FMC software, caused by improper validation of HTTP requests. It allows authenticated remote attackers with at least 'Security Analyst' privileges to execute arbitrary commands on the underlying OS with root privileges. (CVSS v3.1 score: 9.9)
  • CVE-2024-20329: Remote command injection vulnerability in Cisco ASA caused by insufficient user input validation in remote CLI commands over SSH. It allows authenticated remote attackers to execute root-level OS commands. (CVSS v3.1 score: 9.9)
  • CVE-2024-20412: Static credentials in Firepower 1000, 2100, 3100, and 4200 Series devices, allowing local attackers unrestricted access to sensitive data, as well as configuration modification. (CVSS v3.1 score: 9.3)

CVE-2024-20424 impacts any Cisco product running a vulnerable version of FMC regardless of device configuration. The vendor has given no workarounds for this flaw.

CVE-2024-20329 impacts ASA releases that have the CiscoSSH stack enabled and SSH access allowed on at least one interface.

A proposed workaround for this flaw is to disable the vulnerable CiscoSSH stack and enable the native SSH stack by using the command: "no ssh stack ciscossh"

This will disconnect active SSH sessions, and changes must be saved to make it persistent across reboots.

CVE-2024-20412 impacts FTD Software versions 7.1 through 7.4 with a VDB release of 387 or earlier on Firepower 1000, 2100, 3100, and 4200 Series devices.

Cisco says there's a workaround for this problem available to impacted clients through its Technical Assistance Center.

For CVE-2024-20412, the software vendor has also included signs of exploitation in the advisory to help system administrators detect malicious activity.

It is recommended to use this command to check for use of static credentials: 

zgrep -E "Accepted password for (csm_processes|report|sftop10user|Sourcefire|SRU)"/ngfw/var/log/messages*

If any successful login attempts are listed, it might be an indication of exploitation. If no output is returned, the default credentials weren't used during the log retention period.

No exploitation detection advice was provided for CVE-2024-20424 and CVE-2024-20329, but looking at the logs for unusual/abnormal events is always a solid method for finding suspicious activity.

Updates for all three of the flaws are available through the Cisco Software Checker tool.


Free security scan for your website