Pierluigi Paganini October 24, 2024

Cisco patched vulnerabilities in ASA, FMC, and FTD products, including one actively exploited in a large-scale brute-force attack campaign.

Cisco addressed multiple vulnerabilities in Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products, including an actively exploited flaw tracked as CVE-2024-20481.

The vulnerability CVE-2024-20481 (CVSS score of 5.8) is a Denial of Service (DoS) issue that impacts the Remote Access VPN (RAVPN) service of ASA and FTD.

An unauthenticated, remote attacker can exploit the vulnerability to cause a denial of service (DoS) of the RAVPN service.

“This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device.” reads the advisory. “Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service. Services that are not related to VPN are not affected.”

In April, Cisco Talos researchers detailed a large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials. Cisco warned customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company published a document containing recommendations against password spray attacks aimed at Remote Access VPN (RAVPN) services. The IT giant pointed out that the attacks are also targeting third-party VPN concentrators.

Now the company confirmed that the flaw CVE-2024-20481 is actively exploited in the wild.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of malicious use of the vulnerability that is described in this advisory.” continues the advisory.

Cisco also addressed the following three critical vulnerabilities:

• CVE-2024-20412: Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability;
• CVE-2024-20424: Cisco Secure Firewall Management Center Software Command Injection Vulnerability;
• CVE-2024-20329: Cisco Adaptive Security Appliance Software SSH Remote Command Injection Vulnerability.

None of the above vulnerabilities are actively exploited in the wild.

The complete list of vulnerabilities addressed by the IT giant is available in the security advisories page.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISCO ASA)