Emergency patch: Cisco fixes bug under exploit in brute-force attacks

Cisco has patched an already exploited security hole in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that miscreants have been brute-forcing in attempted denial of service attacks.

The bug, CVE-2024-20481, is a medium-severity flaw that's due to resource exhaustion, earning a 5.8 CVSS rating. According to Cisco, it only affects devices that have the remote access VPN (RAVPN) service enabled.

Plus, Cisco noted it is "aware of malicious use of the vulnerability that is described in this advisory."

The Register reached out to Cisco for additional information about the scope of the attacks, and who is behind them. We'll update this story if and when we hear back.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday also sounded the alarm about the vulnerability, adding CVE-2024-20481 to its Known Exploited Vulnerabilities Catalog.

While there are no workarounds for this bug, Cisco has released software updates that patch the hole. Plus, for customers needing to upgrade an FTD device, there's this guidance.

We know that the Russians, Chinese, and even run-of-the mill, financially motivated crims love to target buggy appliances, so we'd suggest heeding the advice coming from the feds and netzilla, and patch now.

• Cisco confirms 'ongoing investigation' after crims brag about selling tons of data
• Warning! FortiManager critical vulnerability under active attack
• US and UK govts warn: Russia scanning for your unpatched vulnerabilities
• Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers

The way these brute-force attacks work: an attacker spams the vulnerable devices with a tsunami of VPN authentication requests using a combination of generic and valid until they get a hit. This gives the criminals unauthorized network access, plus the ability to lock legit users out of their accounts, or, as appears to be the case in these incidents, exhaust the machine's resources and lead to denial of service conditions on the VPN.

"Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service," the networking giant warned.

Talos, Cisco's threat intelligence arm, noted it has been monitoring an uptick in brute-force attacks against VPNs since at least March. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos said.  

To help mitigate against password-spray attacks, Cisco has also published a series of recommendations that are worth a read, as is the vendor's full list of indicators of compromise provided in the security advisory. ®