CVE-2024-20500
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to cause a denial-of-service condition in the Cisco AnyConnect VPN server on Meraki MX and Z Series devices by sending crafted TLS/SSL messages. The attack prevents new SSL VPN connections from being established while existing sessions remain unaffected. Organizations using affected Meraki devices with AnyConnect VPN enabled are vulnerable.
💻 Affected Systems
- Cisco Meraki MX Series
- Cisco Meraki Z Series Teleworker Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
VPN service becomes unavailable for new connections, disrupting remote access for employees and potentially affecting business operations until attack traffic stops.
Likely Case
Temporary disruption of new VPN connections during an attack, with service automatically recovering when attack traffic ceases.
If Mitigated
Minimal impact with proper network segmentation, rate limiting, and monitoring in place to detect and block attack traffic.
🎯 Exploit Status
Exploitation requires sending crafted TLS/SSL messages to the VPN server, which is relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco Security Advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2
Restart Required: Yes
Instructions:
1. Log into Meraki dashboard. 2. Navigate to Security & SD-WAN > Configure > Site-to-site VPN. 3. Update firmware to latest version. 4. Reboot affected devices after update.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to VPN server to trusted IP addresses only
Rate Limiting
allImplement rate limiting on VPN server connections to prevent flood attacks
🧯 If You Can't Patch
- Implement network segmentation to isolate VPN servers from untrusted networks
- Deploy intrusion prevention systems (IPS) to detect and block crafted TLS/SSL traffic
🔍 How to Verify
Check if Vulnerable:
Check Meraki dashboard for device firmware version and compare against advisory. Verify AnyConnect VPN is enabled.Check Version:
In Meraki dashboard: Organization > Monitor > Devices > select device > Firmware versionVerify Fix Applied:
Confirm firmware version is updated to patched version in Meraki dashboard and test VPN connectivity.📡 Detection & Monitoring
Log Indicators:
- Unusual spike in failed VPN connection attempts
- VPN service restart events
- High resource utilization on VPN server
Network Indicators:
- Abnormal volume of TLS/SSL traffic to VPN port (typically 443)
- Multiple rapid connection attempts from single sources
SIEM Query:
source="meraki" AND (event_type="vpn_failure" OR event_type="service_restart") AND count > threshold