Here’s an expanded and more technical look at the recent Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) updates designed to prevent brute-force attacks against VPN credentials. These updates come in response to ongoing threats from large-scale brute-force password-spraying attacks, which have increasingly targeted VPN services as a common entry point into corporate networks.
New Cisco ASA and FTD Features
Cisco has enhanced its ASA and FTD software with mechanisms specifically to counter brute-force password attempts against VPNs. These new features focus on detecting and blocking rapid authentication attempts that characterize brute-force attacks. Attackers typically use these methods to harvest valid credentials, which they can then leverage to gain unauthorized access to networks. Such credentials are often sold on dark web forums or used directly in cyberattacks, including ransomware operations.
The Vulnerability: CVE-2024-20481
This vulnerability, affecting Remote Access VPN (RAVPN) services, allows attackers to exploit Cisco ASA and FTD by overwhelming the VPN service with repeated login attempts, leading to resource exhaustion. When successful, this attack disrupts services and could render the VPN inaccessible to legitimate users, creating a denial-of-service (DoS) condition. This flaw has a high Common Vulnerability Scoring System (CVSS) score due to the ease with which attackers can overload the system using automated brute-force tools.
Administrators can verify if the SSL VPN service is enabled on their devices by running:
shellCopy code
firewall# show running-config webvpn | include ^ enable
If the command does not return output, then RAVPN is disabled, meaning the device is not directly affected by this particular DoS vulnerability.
Security Implications and Best Practices
These brute-force attacks on VPNs underscore the importance of layered security. Cisco’s new ASA and FTD protections serve as critical additions to counter brute-force tactics, but network administrators should combine these with other measures, such as multi-factor authentication (MFA), strict access controls, and regular password updates, to ensure robust security.
For the affected devices, Cisco advises users to upgrade to the latest software versions and monitor authentication logs closely for signs of abuse. Implementing network segmentation and monitoring can further reduce the potential impact of a breach if one were to occur.
By implementing these security features, Cisco ASA and FTD users can bolster defenses against the relentless tide of VPN brute-force attacks and maintain stronger protection for their remote access services.