Cisco has added new security measures that considerably mitigate brute-force and password spray assaults on Cisco ASA and Firepower Menace Protection (FTD), serving to defend the community from breaches and lowering useful resource utilization on gadgets.
Password spray and brute pressure assaults are comparable in that they each try to achieve unauthorized entry to a web-based account by guessing a password.
Nonetheless, password spray assaults will try to concurrently use the identical passwords throughout a number of accounts to evade defenses. In distinction, brute pressure assaults repeatedly goal a single account with totally different password makes an attempt.
In April, Cisco disclosed that risk actors have been conducting huge brute-force assaults in opposition to VPN accounts on quite a lot of networking gadgets, together with these from Cisco, Checkpoint, Fortinet, SonicWall, RD Internet Providers, Miktrotik, Draytek, and Ubiquiti.
Cisco warned that profitable assaults might result in unauthorized entry, account lockouts, and denial-of-service states relying on the focused setting.
These assaults allowed Cisco to uncover and repair a Denial of Service vulnerability, tracked as CVE-2024-20481, that exhausted assets on Cisco ASA and FTD gadgets when hit with some of these assaults.
New VPN brute-force assault safety options
After being hit with the assaults in April, Cisco launched new risk detection capabilities in Cisco ASA and Firewall Menace Protection (FTD) that considerably scale back the influence of brute-force and password spray assaults.
Whereas these options have been accessible for some software program variations since June, they didn’t grow to be accessible for all variations till this month.
Sadly, when talking to some Cisco admins, they have been unaware of those new options. Nonetheless, those that have been, reported important success in mitigating VPN brute-force assaults when the options are enabled.
“It labored so magically that the hourly 500K failures lowered to 170! over final night time!,” a Cisco admin shared on Reddit.
These new options are a part of the risk detection service and block the next forms of assaults:
- Repeated failed authentication makes an attempt to distant entry VPN companies (brute-force username/password scanning assaults).
- Consumer initiation assaults, the place the attacker begins however doesn’t full the connection makes an attempt to a distant entry VPN headend repeated occasions from a single host.
- Connection makes an attempt to invalid distant entry VPN companies. That’s, when attackers strive to connect with particular built-in tunnel teams supposed solely for the inner functioning of the system. Official endpoints ought to by no means try to connect with these tunnel teams.
Cisco advised BleepingComputer that consumer initiation assaults are normally carried out to eat assets, probably placing the system in a denial of service state.
To allow these new options, you should be working a supported model of Cisco ASA and FTD, that are listed beneath:
ASA Software program:
- 9.16 model prepare -> supported from 9.16(4)67 and newer variations inside this particular prepare.
- 9.17 model prepare -> supported from 9.17(1)45 and newer variations inside this particular prepare.
- 9.18 model prepare -> supported from 9.18(4)40 and newer variations inside this particular prepare.
- 9.19 model prepare -> supported from 9.19(1).37 and newer variations inside this particular prepare.
- 9.20 model prepare -> supported from 9.20(3) and newer variations inside this particular prepare.
- 9.22 model prepare -> supported from 9.22(1.1) and any newer variations.
FTD Software program:
- 7.0 model prepare -> supported from 7.0.6.3 and newer variations inside this particular prepare.
- 7.2 model prepare -> supported from 7.2.9 and newer model inside this particular prepare.
- 7.4 model prepare -> supported from 7.4.2.1 and newer model inside this particular prepare.
- 7.6 model prepare -> supported from 7.6.0 and any newer variations.
If you’re working a assist software program model, you need to use the next instructions to allow the brand new options.
To stop risk actors from trying to connect with built-in tunnel teams that aren’t meant to normally be related to, you’d enter this command:
threat-detection service invalid-vpn-access
To stop repeated makes an attempt from the identical IP handle to provoke an authentication request to the RAVPN service however by no means full it, you’d use this command:
threat-detection service remote-access-client-initiations hold-down threshold
Lastly, to stop repeated authentication requests from the identical IP handle, you’d use this command:
threat-detection service remote-access-authentication hold-down threshold
For each the remote-access-client-initiations and remote-access-authentication options, the minutes and rely variables have the next definitions:
- hold-down defines the interval after the final initiation try throughout which consecutive connection makes an attempt are counted. If the variety of consecutive connection makes an attempt meets the configured threshold inside this era, the attacker’s IPv4 handle is shunned. You possibly can set this era between 1 and 1440 minutes.
- threshold is the variety of connection makes an attempt required throughout the hold-down interval to set off a shun. You possibly can set the edge between 5 and 100.
If IP addresses make too many connection or authentication requests within the outlined interval, then the Cisco ASA and FTD software program will shun, or block, the IP handle indefinitely till you manually take away it utilizing the next command:
no shun source_ip [ vlan vlan_id]
A Cisco ASA admin shared a script that may routinely take away all shunned IP addresses each seven days on Reddit.
An instance of an entire configuration shared by Cisco that allows all three options is:
threat-detection service invalid-vpn-access
threat-detection service remote-access-client-initiations hold-down 10 threshold 20
threat-detection service remote-access-authentication hold-down 10 threshold 20
An admin on Reddit additional famous that the consumer initiation protections induced some false positives of their setting however carried out higher after reverting to the defaults of hold-down 10 and threshold 20.
When BleepingComputer requested if there may be any draw back to using these options if RAVPN is enabled, they mentioned there could possibly be a possible for a efficiency influence.
“There isn’t any anticipated “draw back,” however the potential for efficiency influence can exist when enabling new options based mostly on current system configuration and visitors load,” Cisco advised BleepingComputer.
General, for those who focused by risk actors attempting to brute pressure your VPN accounts, it’s strongly advisable that you simply allow these options to mitigate these assaults as compromised VPN credentials are generally utilized to breach networks for ransomware assaults.
