Active Exploits Target Cisco ASA and FTD VPNs: Urgent Update Needed (CVE-2024-20481)

CVE-2024-20481 - Daggerfly group

Cisco has disclosed an actively exploited vulnerability (CVE-2024-20481) in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow attackers to launch denial-of-service (DoS) attacks against Remote Access VPN (RAVPN) services. This vulnerability carries a CVSS score of 5.8 and affects devices running vulnerable releases of ASA or FTD software with RAVPN enabled.

The vulnerability arises from a resource exhaustion issue. As stated in the advisory: “An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device.”

This means attackers could potentially flood the VPN service with authentication requests, overwhelming system resources and disrupting legitimate user access. In some cases, a device reload may be necessary to restore RAVPN functionality. Importantly, Cisco notes that services unrelated to VPN remain unaffected.

To check if your device is vulnerable, Cisco recommends running the following command in the device CLI:

show running-config webvpn | include ^ enable

Any output from this command indicates that SSL VPN is enabled and the device may be vulnerable.

The advisory provides guidance on identifying potential password spray attacks, a common method for exploiting this vulnerability. Indicators include specific log messages appearing frequently and in large quantities, such as authentication rejections and failed login attempts. Monitoring the volume of authentication requests and rejections using the show aaa-server command can also help detect ongoing attacks.

Unfortunately, no workarounds are available for CVE-2024-20481. Cisco has released software updates that address the issue and strongly urges users to upgrade to a fixed release as soon as possible.

Cisco also recommends that customers review the “Configure Threat Detection for VPN Services” section of the Cisco Secure Firewall ASA Firewall CLI Configuration Guide after installing a fixed release. This section guides enabling protections against various VPN-related attacks.

Concerningly, Cisco PSIRT is aware of malicious use of this vulnerability.  Organizations relying on Cisco ASA or FTD software for RAVPN services should prioritize updating their systems to mitigate the risk of DoS attacks and ensure continued business operations.

Related Posts: