CVE-2024-20509
📋 TL;DR
This vulnerability in Cisco Meraki MX and Z Series VPN gateways allows unauthenticated attackers to hijack active AnyConnect VPN sessions or prevent users from connecting. Attackers exploit weak entropy and a race condition during authentication by guessing handler IDs and sending crafted HTTPS requests. Organizations using affected Meraki devices for VPN access are at risk.
💻 Affected Systems
- Cisco Meraki MX Series
- Cisco Meraki Z Series Teleworker Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack active VPN sessions, gaining unauthorized access to internal networks and potentially compromising sensitive data or systems.
Likely Case
Attackers would cause denial of service for individual VPN users, preventing legitimate access to corporate resources.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to temporary VPN connectivity issues for affected users.
🎯 Exploit Status
Exploitation requires guessing authentication handler IDs and timing attacks, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MX 18.107.5 or later, Z3 4.0-4.1 or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-by-QWUkqV7X
Restart Required: Yes
Instructions:
1. Log into Meraki dashboard 2. Navigate to Security & SD-WAN > Configure > Addressing & VLANs 3. Update firmware to MX 18.107.5+ or Z3 4.0-4.1+ 4. Reboot device after update completes
🔧 Temporary Workarounds
Disable AnyConnect VPN
allTemporarily disable AnyConnect VPN service if not required
Meraki Dashboard: Security & SD-WAN > Configure > Client VPN > Disable AnyConnect
Restrict VPN Access
allLimit VPN access to specific IP ranges if possible
Meraki Dashboard: Security & SD-WAN > Configure > Client VPN > Configure access restrictions
🧯 If You Can't Patch
- Implement network monitoring for unusual VPN authentication patterns
- Use multi-factor authentication for VPN access to limit impact of session hijacking
🔍 How to Verify
Check if Vulnerable:
Check Meraki dashboard for device firmware version. If MX version < 18.107.5 or Z3 version < 4.0-4.1 with AnyConnect enabled, device is vulnerable.Check Version:
Meraki Dashboard: Organization > Monitor > Devices > Select device > Firmware versionVerify Fix Applied:
Confirm firmware version shows MX ≥ 18.107.5 or Z3 ≥ 4.0-4.1 in Meraki dashboard after update.📡 Detection & Monitoring
Log Indicators:
- Multiple failed VPN authentication attempts from same source
- Unusual VPN session handoffs or terminations
- VPN connection attempts with malformed authentication requests
Network Indicators:
- Spike in HTTPS requests to VPN authentication endpoints
- Unusual traffic patterns during VPN session establishment
SIEM Query:
source="meraki-vpn" AND (event_type="authentication_failure" OR event_type="session_hijack")