CVE-2024-20493

Q: What is the severity of CVE-2024-20493?

CVE-2024-20493 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated remote attackers to temporarily deny VPN authentication for several minutes by sending crafted packets that exhaust memory resources during the authentication process. It affects Cisco ASA and FTD software with Remote Access SSL VPN enabled. The impact is a temporary denial of service for VPN users.

5.3 MEDIUM

Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to temporarily deny VPN authentication for several minutes by sending crafted packets that exhaust memory resources during the authentication process. It affects Cisco ASA and FTD software with Remote Access SSL VPN enabled. The impact is a temporary denial of service for VPN users.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - see Cisco advisory for specific affected versions

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ✅ No

Notes: Only affects systems with Remote Access SSL VPN feature enabled and configured.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

VPN authentication completely unavailable for all users for several minutes, disrupting remote access to critical systems.

🟠

Likely Case

Intermittent VPN authentication failures lasting several minutes, causing user frustration and productivity loss.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring, though brief authentication delays may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted packets to the VPN authentication service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions available - see Cisco advisory for specific fixed releases

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-vpn-4gYEWMKg

Restart Required: Yes

Instructions:

1. Check current ASA/FTD version. 2. Review Cisco advisory for fixed releases. 3. Download and apply appropriate patch. 4. Reboot device. 5. Verify fix applied successfully.

🔧 Temporary Workarounds

Rate Limiting VPN Authentication

all

Implement rate limiting on VPN authentication requests to reduce impact of resource exhaustion attacks

Configure rate limiting in ASA/FTD VPN authentication settings

Network Segmentation

all

Restrict access to VPN authentication endpoints to trusted networks only

Implement ACLs to limit VPN endpoint access

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach VPN authentication endpoints
Deploy additional monitoring and alerting for VPN authentication failures and resource exhaustion

🔍 How to Verify

Check if Vulnerable:

Check ASA/FTD version and verify Remote Access SSL VPN is enabled. Compare version against affected versions in Cisco advisory.

Check Version:

show version (ASA) or show version (FTD)

Verify Fix Applied:

Verify ASA/FTD version is updated to fixed release specified in Cisco advisory and test VPN authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts in short time
Memory exhaustion warnings in system logs
VPN authentication service restart events

Network Indicators:

Unusual volume of packets to VPN authentication port (typically 443)
Pattern of crafted authentication packets

SIEM Query:

source="asa" OR source="ftd" AND (event_type="authentication_failure" OR event_type="memory_warning") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-20493

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-772

Published: October 23, 2024

Last Updated: November 1, 2024

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-vpn-4gYEWMKg Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco