CVE-2024-20341

Q: What is the severity of CVE-2024-20341?

CVE-2024-20341 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows unauthenticated remote attackers to execute cross-site scripting (XSS) attacks against users accessing Cisco ASA/FTD VPN web client services. Attackers can inject malicious scripts by tricking users into clicking specially crafted links. Affected systems include Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software with VPN web client services enabled.

6.1 MEDIUM

Cross-Site Scripting

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute cross-site scripting (XSS) attacks against users accessing Cisco ASA/FTD VPN web client services. Attackers can inject malicious scripts by tricking users into clicking specially crafted links. Affected systems include Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software with VPN web client services enabled.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - check Cisco advisories for specific affected versions

Operating Systems: Cisco ASA/FTD OS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when VPN web client services are enabled. Systems without this feature enabled are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, credentials, or sensitive data from authenticated users, potentially gaining administrative access to the firewall/VPN system.

🟠

Likely Case

Attackers could perform session hijacking, credential theft, or redirect users to malicious sites while appearing to be legitimate VPN portal pages.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to unsuccessful injection attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but no authentication. Attack is delivered via crafted URLs targeting web client endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisories for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-xss-yjj7ZjVq

Restart Required: Yes

Instructions:

1. Identify affected ASA/FTD versions. 2. Download and apply Cisco-recommended patches. 3. Restart affected services or devices as required. 4. Verify patch application and test VPN functionality.

🔧 Temporary Workarounds

Disable VPN Web Client Services

cisco-asa

Temporarily disable the vulnerable VPN web client services feature if not required

no webvpn
no enable outside

Implement Input Validation

all

Add input validation and output encoding for web client endpoints

🧯 If You Can't Patch

Disable VPN web client services if not essential for operations
Implement web application firewall (WAF) rules to block XSS payloads targeting VPN endpoints

🔍 How to Verify

Check if Vulnerable:

Check if VPN web client services are enabled and verify ASA/FTD version against Cisco's affected versions list

Check Version:

show version | include Version

Verify Fix Applied:

Verify patch version is installed and test VPN web client functionality with safe XSS test payloads

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns in web access logs
Multiple failed XSS attempts
Suspicious user-agent strings

Network Indicators:

HTTP requests with script tags or JavaScript in URL parameters to VPN endpoints
Unusual traffic patterns to /+webvpn+/ endpoints

SIEM Query:

source="asa_logs" AND (url="*<script>*" OR url="*javascript:*") AND dest_port=443

📊 Metadata

CVE ID: CVE-2024-20341

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-80

Published: October 23, 2024

Last Updated: November 1, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco