Introduction
Cisco has identified a zero-day vulnerability, CVE-2024-20481 [1] [2] [3] [4] [5] [6] [7], affecting its Remote Access VPN (RAVPN) service within the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software [1] [2] [3] [5] [6] [7] [8]. This vulnerability, which can lead to a denial-of-service (DoS) condition [7], poses a significant risk to organizations [4], particularly within federal enterprises [4].
Description
Cisco has disclosed a zero-day vulnerability tracked as CVE-2024-20481 [3], affecting the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software [1] [2] [3] [5] [6] [7] [8]. This medium-severity denial-of-service vulnerability [4], with a CVSS score of 5.3 [7], can be exploited by unauthenticated [7], remote attackers through resource exhaustion [5] [7], potentially leading to a denial-of-service (DoS) condition for the RAVPN service [1] [7]. Attackers can exploit this flaw by sending a high volume of VPN authentication requests [1] [2] [7], akin to a brute-force or password-spray attack [5], which may deplete the device’s resources and necessitate a reload for service restoration. It is important to note that services unrelated to VPN are not impacted by this vulnerability [1].
CVE-2024-20481 has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog, underscoring its significance as a common attack vector for malicious cyber actors and the potential risks it poses to organizations, particularly within the federal enterprise [4]. The catalog [4], established under Binding Operational Directive (BOD) 22-01 [4], mandates Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by specified deadlines to safeguard their networks against active threats [4]. While BOD 22-01 specifically targets FCEB agencies [4], CISA encourages all organizations to prioritize the timely remediation of vulnerabilities listed in the catalog as part of their vulnerability management practices [4].
While there are no direct workarounds for CVE-2024-20481 [7], Cisco has released a software update to address this vulnerability and recommends that organizations monitor authentication request volumes to identify potential impacts from such attacks. Additionally, enabling logging [5] [7], configuring threat detection for RAVPN services [5] [7], applying hardening measures such as disabling AAA authentication [7], and manually blocking unauthorized connection attempts can help mitigate the risk of exploitation. The Cisco Product Security Incident Response Team (PSIRT) is aware of malicious exploitation of this vulnerability [2], which has been observed in a large-scale brute-force campaign targeting VPNs and SSH services using commonly used login credentials [1] [6] [8]. There has been a noted increase in such attacks since March 18, 2024 [7], originating from TOR exit nodes and other anonymizing proxies [7]. Cisco ASA and FTD services are frequently targeted by threat actors [3], including nation-state actors exploiting previous zero-day flaws against government networks. The vulnerability is also associated with various Common Weakness Enumerations (CWEs) and linked to attack patterns cataloged in the Common Attack Pattern Enumeration and Classification (CAPEC) [1].
Conclusion
The CVE-2024-20481 vulnerability presents a notable threat to network security, particularly for organizations relying on Cisco’s RAVPN services. While Cisco has issued a software update to mitigate this risk, organizations must remain vigilant by monitoring network traffic and implementing additional security measures. The ongoing exploitation of this vulnerability highlights the need for continuous vigilance and proactive vulnerability management to protect against evolving cyber threats.
References
[1] https://cvefeed.io/vuln/detail/CVE-2024-20481
[2] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-bf-dos-vDZhLqrW
[3] https://www.techtarget.com/searchsecurity/news/366614652/Cisco-ASA-and-FTD-zero-day-used-in-password-spraying-attacks
[4] https://www.cisa.gov/news-events/alerts/2024/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalog
[5] https://www.darkreading.com/application-security/cisco-asa-ftd-software-active-vpn-exploitation
[6] https://digital.nhs.uk/cyber-alerts/2024/cc-4568
[7] https://thehackernews.com/2024/10/cisco-issues-urgent-fix-for-asa-and-ftd.html
[8] https://www.tenable.com/cve/CVE-2024-20481
