Cisco has added new safety features that considerably mitigate brute-force and password spray assaults on Cisco ASA and Firepower Menace Protection (FTD), serving to defend the community from breaches and lowering useful resource utilization on gadgets.
Password spray and brute power assaults are related in that they each try to achieve unauthorized entry to an internet account by guessing a password.
Nonetheless, password spray assaults will try and concurrently use the identical passwords throughout a number of accounts to evade defenses. In distinction, brute power assaults repeatedly goal a single account with completely different password makes an attempt.
In April, Cisco disclosed that menace actors have been conducting huge brute-force assaults in opposition to VPN accounts on quite a lot of networking gadgets, together with these from Cisco, Checkpoint, Fortinet, SonicWall, RD Net Companies, Miktrotik, Draytek, and Ubiquiti.
Cisco warned that profitable assaults might result in unauthorized entry, account lockouts, and denial-of-service states relying on the focused surroundings.
These assaults allowed Cisco to uncover and repair a Denial of Service vulnerability, tracked as CVE-2024-20481, that exhausted assets on Cisco ASA and FTD gadgets when hit with these kinds of assaults.
New VPN brute-force assault safety options
After being hit with the assaults in April, Cisco launched new menace detection capabilities in Cisco ASA and Firewall Menace Protection (FTD) that considerably scale back the affect of brute-force and password spray assaults.
Whereas these options have been obtainable for some software program variations since June, they didn’t develop into obtainable for all variations till this month.
Sadly, when chatting with some Cisco admins, they have been unaware of those new options. Nonetheless, those that have been, reported vital success in mitigating VPN brute-force assaults when the options are enabled.
“It labored so magically that the hourly 500K failures lowered to 170! over final evening!,” a Cisco admin shared on Reddit.
These new options are a part of the menace detection service and block the next kinds of assaults:
- Repeated failed authentication makes an attempt to distant entry VPN companies (brute-force username/password scanning assaults).
- Consumer initiation assaults, the place the attacker begins however doesn’t full the connection makes an attempt to a distant entry VPN headend repeated occasions from a single host.
- Connection makes an attempt to invalid distant entry VPN companies. That’s, when attackers strive to hook up with particular built-in tunnel teams supposed solely for the inner functioning of the machine. Professional endpoints ought to by no means try to hook up with these tunnel teams.
Cisco informed BleepingComputer that consumer initiation assaults are normally carried out to devour assets, probably placing the machine in a denial of service state.
To allow these new options, you should be working a supported model of Cisco ASA and FTD, that are listed under:
ASA Software program:
- 9.16 model practice -> supported from 9.16(4)67 and newer variations inside this particular practice.
- 9.17 model practice -> supported from 9.17(1)45 and newer variations inside this particular practice.
- 9.18 model practice -> supported from 9.18(4)40 and newer variations inside this particular practice.
- 9.19 model practice -> supported from 9.19(1).37 and newer variations inside this particular practice.
- 9.20 model practice -> supported from 9.20(3) and newer variations inside this particular practice.
- 9.22 model practice -> supported from 9.22(1.1) and any newer variations.
FTD Software program:
- 7.0 model practice -> supported from 7.0.6.3 and newer variations inside this particular practice.
- 7.2 model practice -> supported from 7.2.9 and newer model inside this particular practice.
- 7.4 model practice -> supported from 7.4.2.1 and newer model inside this particular practice.
- 7.6 model practice -> supported from 7.6.0 and any newer variations.
In case you are working a help software program model, you should utilize the next instructions to allow the brand new options.
To forestall menace actors from making an attempt to hook up with built-in tunnel teams that aren’t meant to normally be related to, you’ll enter this command:
threat-detection service invalid-vpn-access
To forestall repeated makes an attempt from the identical IP deal with to provoke an authentication request to the RAVPN service however by no means full it, you’ll use this command:
threat-detection service remote-access-client-initiations hold-down <minutes> threshold <rely>
Lastly, to forestall repeated authentication requests from the identical IP deal with, you’ll use this command:
threat-detection service remote-access-authentication hold-down <minutes> threshold <rely>
For each the remote-access-client-initiations and remote-access-authentication options, the minutes and rely variables have the next definitions:
- hold-down defines the interval after the final initiation try throughout which consecutive connection makes an attempt are counted. If the variety of consecutive connection makes an attempt meets the configured threshold inside this era, the attacker’s IPv4 deal with is shunned. You possibly can set this era between 1 and 1440 minutes.
- threshold is the variety of connection makes an attempt required throughout the hold-down interval to set off a shun. You possibly can set the edge between 5 and 100.
If IP addresses make too many connection or authentication requests within the outlined interval, then the Cisco ASA and FTD software program will shun, or block, the IP deal with indefinitely till you manually take away it utilizing the next command:
no shun source_ip [ vlan vlan_id]
A Cisco ASA admin shared a script that may routinely take away all shunned IP addresses each seven days on Reddit.
An instance of a whole configuration shared by Cisco that permits all three options is:
threat-detection service invalid-vpn-access
threat-detection service remote-access-client-initiations hold-down 10 threshold 20
threat-detection service remote-access-authentication hold-down 10 threshold 20
An admin on Reddit additional famous that the consumer initiation protections prompted some false positives of their surroundings however carried out higher after reverting to the defaults of hold-down 10 and threshold 20.
When BleepingComputer requested if there’s any draw back to using these options if RAVPN is enabled, they stated there might be a possible for a efficiency affect.
“There isn’t a anticipated “draw back,” however the potential for efficiency affect can exist when enabling new options based mostly on current machine configuration and site visitors load,” Cisco informed BleepingComputer.
General, in the event you focused by menace actors attempting to brute power your VPN accounts, it’s strongly advisable that you just allow these options to mitigate these assaults as compromised VPN credentials are generally utilized to breach networks for ransomware assaults.