External risk intelligence

Cisco VPN Denial-of-Service Vulnerability.

CVE advisoryKnown Exploit

CVE-2024-20481

Cisco Adaptive Security Appliance and Firepower Threat Defense software have a Remote Access VPN service vulnerability that an unauthenticated attacker can exploit to cause a denial of service. This is due to resource exhaustion from numerous authentication requests, potentially requiring a device reload to restore ser

5Halo Surface Signal

Denial of Service

Cisco Firepower Threat Defense Software

6.2.36.2.3.16.2.3.26.2.3.36.2.3.46.2.3.56.2.3.66.2.3.76.2.3.86.2.3.96.2.3.106.2.3.116.2.3.126.2.3.136.2.3.146.2.3.156.2.3.166.2.3.176.2.3.186.4.06.4.0.16.4...

External exposure likelihood

Halo Surface Signal score for CVE-2024-20481

The vulnerability affects the Remote Access VPN (RAVPN) service of Cisco ASA and FTD devices. These products are edge security gateways explicitly designed to be internet-facing to provide remote access and connectivity, making them public-facing by design in their standard, intended deployment configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software contain a vulnerability within their Remote Access VPN (RAVPN) service. This flaw could enable an unauthenticated, remote attacker to disrupt the RAVPN service. The core issue stems from resource exhaustion, potentially leading to a denial-of-service condition that may necessitate device reloads.

  • Vulnerable VPN service
  • Resource exhaustion flaw
  • Denial of service impact

Attack Path

How an attacker could exploit the issue

This vulnerability impacts organizations using Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Attackers can target the Remote Access VPN (RAVPN) service by sending a large volume of authentication requests. This action can exhaust system resources, leading to a denial-of-service (DoS) condition for the RAVPN service. Restoring service may require reloading the affected device.

  • Exposed RAVPN service.
  • Unauthenticated remote attacker.
  • Trigger resource exhaustion; impact RAVPN service.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability impacts Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, specifically affecting the Remote Access VPN (RAVPN) service. Exploitation could lead to a denial-of-service condition, disrupting VPN access for organizations. The vulnerability stems from resource exhaustion, triggered by a large volume of VPN authentication requests. While non-VPN services remain unaffected, a device reload may be necessary to restore RAVPN functionality.

  • Attacker skill level: Low.
  • Requires network access.
  • Business risk: Medium, impacting VPN access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A vulnerability in Cisco's Remote Access VPN service could allow an unauthenticated attacker to disrupt the VPN service through resource exhaustion. This could lead to a denial of service, potentially requiring a device reload to restore functionality. Services unrelated to VPN are unaffected.

  • Identify exposed VPN assets.
  • Reduce exposure or isolate risk.
  • Apply vendor fix, verify, and monitor.

Frequently asked questions

What are Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software used for?

Cisco ASA and FTD are security products that function as firewalls and VPN gateways, controlling network traffic and securing remote access for users [1, 2, 3, 4, 5, 11, 14, 15, 16, 17].

What type of vulnerability is CVE-2024-20481 in Cisco's VPN service?

CVE-2024-20481 is a resource exhaustion vulnerability within the Remote Access VPN (RAVPN) service of Cisco ASA and FTD software [1, 3, 5, 15, 17]. This weakness class is identified as CWE-772 [7, 8].

How can CVE-2024-20481 be exploited, and what is its scope?

An unauthenticated, remote attacker can exploit this vulnerability by sending a large volume of VPN authentication requests to an affected device. This can exhaust system resources, leading to a denial-of-service (DoS) of the RAVPN service. Services unrelated to VPN are not affected [1, 3, 5, 15, 17]. The CVSS vector indicates a scope change (S:C) [5, 10, 17].

How relevant is CVE-2024-20481 to internet-facing devices?

This vulnerability is highly relevant to internet-facing devices as it affects the Remote Access VPN (RAVPN) service, which is designed for external connectivity. The 'Attack Vector: Network' (AV:N) in its CVSS scoring confirms its external exploitability [5, 10, 17].

What actions should be taken in response to CVE-2024-20481?

Organizations should apply the software patches released by Cisco. Additionally, consider enabling logging, configuring threat detection for RAVPN services, implementing hardening practices like disabling AAA authentication if feasible, and manually blocking unauthorized connection attempts. A device reload may be necessary to restore RAVPN service after an attack [1, 2, 4, 6, 8, 15, 16].

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified