Executive Summary

CVE-2024-20481 is a medium-severity vulnerability that has been identified in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability, which can lead to a Denial of Service (DoS) condition, is due to resource exhaustion. An unauthenticated, remote attacker can exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. While there are no confirmed reports of exploitation in the wild, the potential for malicious exploitation through large-scale brute-force campaigns remains a concern. Organizations using vulnerable Cisco ASA and FTD software are advised to take immediate action to apply the necessary software updates and implement recommended mitigations to protect against potential DoS attacks.

Technical Information

CVE-2024-20481 is a Denial of Service (DoS) vulnerability affecting the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerability is identified by the Common Vulnerabilities and Exposures (CVE) ID CVE-2024-20481 and has been assigned a CVSS score of 5.8, indicating a medium severity level. The underlying issue is classified under CWE-772, which refers to the "Missing Release of Resource after Effective Lifetime." This vulnerability arises from the improper management of resources, leading to resource exhaustion when a large number of VPN authentication requests are sent to an affected device.

The exploitation method involves brute-force attacks targeting VPN authentication. An unauthenticated, remote attacker can exploit this vulnerability by sending a high volume of VPN authentication requests to an affected device, potentially causing a DoS condition. This can result in the disruption of VPN services, impacting the availability of network resources for legitimate users.

The affected products include Cisco ASA and FTD Software with the RAVPN service enabled. Specific versions impacted by this vulnerability are Cisco ASA Software versions prior to 9.16.4.70 and Cisco FTD Software versions prior to 6.6.7. Organizations using these versions are at risk of experiencing a DoS condition if the vulnerability is exploited.

Indicators of Compromise (IoCs) associated with this vulnerability include frequent and large quantities of specific log messages indicating authentication rejections. Additionally, an increased volume of authentication requests and rejects can be observed via the

Exploitation in the Wild

As of now, there are no confirmed reports of exploitation in the wild for CVE-2024-20481. However, the Cisco Product Security Incident Response Team (PSIRT) has acknowledged the potential for malicious exploitation through large-scale brute-force campaigns. These campaigns could leverage this vulnerability to disrupt VPN services, causing significant operational impact for affected organizations. It is crucial for organizations to remain vigilant and monitor for any signs of exploitation attempts.

APT Groups using this vulnerability

No specific Advanced Persistent Threat (APT) groups have been identified as exploiting this vulnerability. The tactics, techniques, and procedures (TTPs) associated with this vulnerability align with those used in brute-force and resource exhaustion attacks. These TTPs are commonly employed by threat actors to disrupt services and gain unauthorized access to network resources. Organizations should monitor for unusual authentication patterns and implement rate-limiting to mitigate the risk of exploitation.

Affected Product Versions

The vulnerability affects Cisco products running a vulnerable release of Cisco ASA or FTD Software with the RAVPN service enabled. The specific versions impacted by this vulnerability are Cisco ASA Software versions prior to 9.16.4.70 and Cisco FTD Software versions prior to 6.6.7. Organizations using these versions are advised to upgrade to the fixed software release to mitigate the risk of exploitation.

Workaround and Mitigation

Cisco has released software updates to address this vulnerability. There are no workarounds available, but mitigations against password spray attacks are provided in the Cisco Secure Firewall TechNote. Customers are advised to upgrade to the fixed software release and review the "Configure Threat Detection for VPN Services" section in the Cisco Secure Firewall ASA Firewall CLI Configuration Guide. Implementing these mitigations can help protect against potential DoS attacks and ensure the availability of network resources.

References

For more information on CVE-2024-20481 and the associated vulnerability, please refer to the following resources:

• Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-bf-dos-vDZhLqrW
• CISA Alert on Known Exploited Vulnerabilities: https://www.cisa.gov/news-events/alerts/2024/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Cisco Talos Blog on Brute-force Activity: https://blog.talosintelligence.com/2024/10/large-scale-brute-force-activity.html

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive visibility into your organization's security posture, enabling you to identify and mitigate vulnerabilities before they can be exploited. We are here to support you in addressing any questions or concerns you may have about this report or any other cybersecurity issues. Please feel free to reach out to us at ops@rescana.com for assistance.