Cisco Releases Patches for Vulnerability Exploited in Widespread Brute-Force Attacks
Cisco has issued patches for multiple vulnerabilities impacting its Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products.
Cisco has issued patches for multiple vulnerabilities impacting its Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products, including a recently exploited flaw.
Announced on Wednesday, these updates address a range of security issues, including CVE-2024-20481 (CVSS 5.8), an exploited vulnerability affecting the Remote Access VPN (RAVPN) service in ASA and FTD products. This flaw allows remote, unauthenticated attackers to initiate denial-of-service (DoS) conditions through resource exhaustion by flooding affected devices with VPN authentication requests.
Cisco highlights that only ASA and FTD versions with RAVPN enabled are vulnerable and confirms in-the-wild exploitation of this vulnerability. These attacks are part of a large-scale brute-force campaign targeting VPN and SSH services, initially flagged by Cisco in April 2024. The campaign affects devices from multiple vendors, including Checkpoint, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti.
Critical vulnerabilities: CVE-2024-20329, CVE-2024-20424 & CVE-2024-20412
This advisory, published in Cisco’s October 2024 semiannual ASA, FMC, and FTD security update, details over 50 vulnerabilities, including three critical issues. Cisco is not aware of active exploitation of these specific flaws; however, proof-of-concept code has been disclosed for CVE-2024-20377, CVE-2024-20387, and CVE-2024-20388, all related to information disclosure in FMC.
Among the critical vulnerabilities: CVE-2024-20329, CVE-2024-20424 & CVE-2024-20412
CVE-2024-20329 (CVSS 9.9) impacts ASA, allowing authenticated, remote attackers to execute OS commands with root privileges over SSH, gaining full control of the system.
CVE-2024-20424 (CVSS 9.9) affects FMC, enabling authenticated, remote attackers to send crafted HTTP requests to execute arbitrary commands with root privileges on the underlying OS.
CVE-2024-20412 (CVSS 9.3) impacts Cisco’s Firepower 1000, 2100, 3100, and 4200 series, allowing local, unauthenticated attackers to access the command line using static credentials.
Cisco has also released fixes for ten high-severity vulnerabilities in FTD, many of which also affect ASA, as well as for one high-severity vulnerability in the Adaptive Security Virtual Appliance (ASAv) and Secure Firewall Threat Defense Virtual (FTDv). Besides a critical VPN web server flaw that could enable arbitrary code execution with root access, the high-severity issues primarily allow DoS conditions.
The remaining advisories in Cisco’s semiannual publication cover 33 medium-severity issues across ASA, FMC, and FTD products. Additionally, Cisco warns of a potential issue with the Vulnerability Database (VDB) release for FTD that could unexpectedly restart the Snort detection engine.
Cisco also announced a patch for a medium-severity flaw in IKEv2 processing within Secure Client Software, which could be exploited remotely by unauthenticated attackers to trigger DoS conditions.
Organizations are strongly encouraged to apply Cisco’s patches promptly. Full details are available on Cisco’s security advisories page.