Cisco has disclosed a critical vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that is actively exploited in the wild.

The flaw, tracked as CVE-2024-20481, allows unauthenticated, remote attackers to exhaust system resources and cause a denial of service (DoS) condition on affected devices.

The vulnerability resides in the Remote Access VPN (RAVPN) service of Cisco ASA and FTD software.

It is caused by improper handling of VPN authentication requests, allowing attackers to flood targeted devices with a large number of requests and consume excessive resources.

Successful exploitation can lead to a DoS condition, disrupting the availability of the RAVPN service. In some cases, a device reload may be necessary to restore functionality.

Cisco Talos, the company’s threat intelligence division, has observed large-scale brute-force attacks targeting VPNs and SSH services using commonly used login credentials.

These attacks aim to exploit the vulnerability and gain unauthorized access to corporate networks.

The vulnerability affects Cisco ASA and FTD software if the RAVPN service is enabled. Customers are advised to check the Fixed Software section of Cisco’s advisory to determine if their specific software version is vulnerable.

To verify if SSL VPN is enabled on a device, administrators can use the show running-config webvpn | include ^ enable command on the device CLI. If there is no output, SSL VPN is not enabled, and the device is unaffected.

Indicators of Compromise

Organizations can detect if they are being targeted by password spray attacks by monitoring for specific log messages that occur frequently and in large quantities. Examples include:

%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.1.2.3 : user = admin : user IP = 192.168.1.2

%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = 192.168.1.2

%ASA-6-716039: Group <DfltGrpPolicy> User <admin> IP <192.168.1.2> Authentication: rejected, Session Type: WebVPN.

Additionally, monitoring the volume of authentication requests and rejects using the show aaa-server the command can help identify ongoing attacks.

Cisco has released software updates that address this vulnerability, and no workarounds are available. Customers are urged to upgrade to a fixed software release immediately.

The active exploitation of this vulnerability highlights the importance of timely patching and maintaining a robust security posture. Organizations using affected Cisco ASA and FTD software should prioritize upgrading to a fixed release and implementing recommended security configurations to mitigate the risk of successful attacks.