CVE-2024-20498
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to cause denial of service on Cisco Meraki MX and Z Series VPN gateways by sending crafted HTTPS requests. Attackers can force VPN service restarts, disrupting existing connections and potentially preventing new VPN sessions. Organizations using affected Cisco Meraki devices with AnyConnect VPN enabled are at risk.
💻 Affected Systems
- Cisco Meraki MX Series
- Cisco Meraki Z Series Teleworker Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained attacks could completely prevent SSL VPN connectivity, disrupting remote workforce access to internal resources until attack traffic stops.
Likely Case
Intermittent VPN service disruptions causing connection drops and requiring users to reconnect, creating productivity impact and potential authentication server load.
If Mitigated
Minimal impact with proper network segmentation and monitoring, with only temporary service interruptions during attack windows.
🎯 Exploit Status
Exploitation requires sending crafted HTTPS requests to VPN server, which is relatively straightforward for attackers with network access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco Security Advisory for specific firmware versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2
Restart Required: Yes
Instructions:
1. Log into Meraki dashboard 2. Navigate to Security & SD-WAN > Configure > VPN 3. Check for firmware updates 4. Apply recommended firmware update 5. Reboot affected devices after update
🔧 Temporary Workarounds
Restrict VPN Access
allLimit VPN server exposure by implementing IP allow lists or geofencing
Enable Rate Limiting
allConfigure rate limiting on VPN endpoints to mitigate DoS attempts
🧯 If You Can't Patch
- Implement network-based IPS/IDS rules to detect and block crafted HTTPS requests to VPN endpoints
- Deploy VPN load balancing with multiple endpoints to maintain availability during attacks
🔍 How to Verify
Check if Vulnerable:
Check Meraki dashboard for device firmware version and compare against patched versions in Cisco advisoryCheck Version:
In Meraki dashboard: Security & SD-WAN > Monitor > Appliance status > Firmware versionVerify Fix Applied:
Verify firmware version is updated to patched release and monitor VPN service stability📡 Detection & Monitoring
Log Indicators:
- Multiple VPN service restarts
- Unusual HTTPS request patterns to VPN endpoint
- Spike in failed VPN connection attempts
Network Indicators:
- Abnormal HTTPS traffic to VPN port 443
- Repeated TCP connections to VPN service with malformed requests
SIEM Query:
source="meraki-firewall" AND (event_type="vpn_restart" OR (destination_port=443 AND http_request_uri CONTAINS "/vpn/" AND status_code=400))