Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack

On October 24, 2024, Cisco announced the release of updates to address a critical security vulnerability in its Adaptive Security Appliance (ASA), known as CVE-2024-20481, which has been actively exploited. This flaw impacts the Remote Access VPN (RAVPN) service of both ASA and Cisco Firepower Threat Defense (FTD) Software, with a CVSS score of 5.8. The vulnerability arises from resource exhaustion, enabling unauthenticated remote attackers to potentially cause a denial-of-service (DoS) condition on affected devices by overwhelming them with numerous VPN authentication requests.

Cisco’s advisory highlights that an attacker exploiting this vulnerability can exhaust the resources of the RAVPN service, leading to its failure. In severe cases, restoring the service may necessitate reloading the affected device. Although there are no direct workarounds for this vulnerability, Cisco recommends several defensive actions for its users, including enabling logging, configuring threat detection for remote access VPN services, applying hardening measures such as disabling AAA authentication, and blocking unauthorized connection attempts.

The vulnerability has gained attention due to its exploitation by threat actors engaged in large-scale brute-force campaigns targeting various VPNs and SSH services. Cisco Talos reported a marked increase in brute-force attacks against these services starting from mid-March 2024. These attacks have been directed against a broad spectrum of equipment from multiple manufacturers, including Cisco, Check Point, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti. The nature of these attacks involves the use of generic usernames as well as valid usernames specific to organizations, often arising from TOR exit nodes and other anonymizing proxies.

In addition to addressing CVE-2024-20481, Cisco has released patches for three other significant vulnerabilities affecting FTD Software, Secure Firewall Management Center (FMC) Software, and the ASA itself. Among these, CVE-2024-20412 (CVSS score: 9.3) concerns the presence of static accounts with hard-coded passwords in FTD Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series, which could allow local unauthenticated attackers to access systems using these static credentials.

Another critical vulnerability, CVE-2024-20424, has a CVSS score of 9.9 and relates to inadequate input validation of HTTP requests in FMC Software’s web-based management interface. This flaw could permit authenticated remote attackers to execute arbitrary commands on the system as root. The third significant vulnerability, CVE-2024-20329 (also 9.9), pertains to insufficient user input validation in the SSH subsystem of the ASA, allowing authenticated remote attackers similar capabilities for executing operating system commands.

Given the emerging trend of security vulnerabilities in networking equipment becoming focal points for nation-state exploitations, Cisco emphasizes the necessity for users to swiftly implement the available patches to safeguard their systems against potential attacks. This proactive approach to applying fixes is crucial in maintaining the integrity and security of network infrastructure against evolving threats.