CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L/E:X/RL:X/RC:X
-
A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service.
This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device. Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service. Services that are not related to VPN are not affected.
Cisco Talos discussed these attacks in the blog post Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-bf-dos-vDZhLqrWThis advisory is part of the October 2024 release of the Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: October 2024 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.
-
Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco ASA or FTD Software and had the RAVPN service enabled.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine the SSL VPN Configuration
To determine whether SSL VPN is enabled, use the show running-config webvpn | include ^ enable command on the device CLI. The following example shows the output of the show running-config webvpn | include ^ enable command on a device that has SSL VPN enabled on the outside interface:
firewall# show running-config webvpn | include ^ enable
enable outsideIf there is no output for the command, the SSL VPN is not enabled on any interface and the device is not affected by this vulnerability.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- IOS Software
- IOS XE Software
- Meraki products
- NX-OS Software
- Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software
-
When a device is experiencing a password spray attack, there are several potential indicators.
The most prevalent indicator is specific log messages that occur frequently and in large quantities. The following are examples of the types of log messages that may appear during a password spray attack. Which message is present depends on the device configuration, so it is not necessary for all message types to be present to indicate a password spray attack.
%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.1.2.3 : user = admin : user IP = 192.168.1.2
%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = 192.168.1.2
%ASA-6-716039: Group <DfltGrpPolicy> User <admin> IP <192.168.1.2> Authentication: rejected, Session Type: WebVPN.Note: Depending on the device configuration, username fields may include * characters to hide the username.
Another method for detecting a password spray attack is to monitor the volume of authentication requests and authentication rejects. To do this, use the show aaa-server command on the CLI multiple times, with several seconds between each use of the command. A large number of authentication rejects could indicate an ongoing attack. The following output of the show aaa-server command shows that the numbers of authentication requests and authentication rejects increased between uses of the command:
Firewall# show aaa-server
Server Group: LDAP-SERVER
Server Protocol: ldap
Server Hostname: ldap-server.example.com
Server Address: 10.1.2.3
Server port: 636
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 2220000
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1312
Number of rejects 2212345
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 1
Number of unrecognized responses 0
Firewall#
.
Wait some amount of time
.
Firewall# show aaa-server
Server Group: LDAP-SERVER
Server Protocol: ldap
Server Hostname: ldap-server.example.com
Server Address: 10.1.2.3
Server port: 636
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 2234567
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1312
Number of rejects 2223456
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 1
Number of unrecognized responses 0
Firewall#
-
There are no workarounds that address this vulnerability. However, there are mitigations that can be implemented for customers who are experiencing password spray attacks and have not upgraded to a fixed release. These mitigations are outlined in the Recommendations Against Password Spray Attacks Aimed at Remote Access VPN Services in Secure Firewall TechNote.
While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
-
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).
To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps:
- Choose which advisories the tool will search—all advisories, only advisories with a Critical or High Security Impact Rating (SIR), or only this advisory.
- Choose the appropriate software.
- Choose the appropriate platform.
- Enter a release number—for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software.
- Click Check.
Note: For Cisco 3000 Series Industrial Security Appliances (ISAs) that are running Cisco ASA Software, Cisco ASA Software Release 9.16.4.67 has been deferred and replaced by Release 9.16.4.70.
For instructions on upgrading a Cisco FTD device, see the appropriate Cisco FMC upgrade guide.
Additional Resources
For help determining the best Cisco ASA, FMC, or FTD Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
-
After installing a fixed release, it is recommended that customers review the Configure Threat Detection for VPN Services section of the Cisco Secure Firewall ASA Firewall CLI Configuration Guide. This section will provide guidance on enabling protections from RAVPN login authentication attacks, client initiation attacks, and attempts to connect to an invalid VPN service. Determining which protections are needed is at the discretion of the customer.
-
The Cisco Product Security Incident Response Team (PSIRT) is aware of malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was found during the resolution of a Cisco TAC support case.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial public release. — Final 2024-OCT-23
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.