Cisco has released a workaround for bugs in some of its software that are being actively exploited in the wild.
According to a security advisory from the company, the patched flaw was found in Adaptive Security Appliance (ASA) and in Firepower Threat Defense (FTD). It is described as a resource exhaustion vulnerability, tracked as CVE-2024-20481. It received an average severity rating of 5.8.
Describing the theory behind the attack, Cisco says an attacker could send a large number of VPN authentication requests to a vulnerable device, draining its resources. This results in a Denial-of-Service (DoS) status of the Remote Access VPN (RAVPN) service. Furthermore, because the attackers send authentication requests, it might work (depending on the strength of the credentials), giving the miscreants unauthorized network access.
Abused in the wild
Depending on the impact of the attack, victims may need to restore RAVPN service, Cisco explained.
The good news is that the bug only affects devices with the RAVPN (Remote Access VPN) service enabled. The bad news is that the bug is actively being exploited in the wild and there is no fix for it. Cisco said it is “aware of malicious use of the vulnerability described in this advisory,” and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities (KEV) catalog.
Cisco VPN tools are extremely popular around the world and are used by both SMBs and large enterprises. That is why they are a prime target for cybercriminals looking to worm their way into companies’ IT infrastructure.
Talos, the company’s cybersecurity arm, recently warned that it is monitoring an increase in brute-force attacks against VPNs. The registry remembers. “These attacks all appear to be coming from TOR exit nodes and a range of other anonymizing tunnels and proxies,” Talos said.