Pierluigi Paganini October 25, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco ASA and FTD, and RoundCube Webmail bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability
• CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

This week, Cisco addressed multiple vulnerabilities in Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products, including an actively exploited flaw tracked as CVE-2024-20481.

The vulnerability CVE-2024-20481 (CVSS score of 5.8) is a Denial of Service (DoS) issue that impacts the Remote Access VPN (RAVPN) service of ASA and FTD.

An unauthenticated, remote attacker can exploit the vulnerability to cause a denial of service (DoS) of the RAVPN service.

“This vulnerability is due to resource exhaustion. An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device.” reads the advisory. “Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service. Services that are not related to VPN are not affected.”

In April, Cisco Talos researchers detailed a large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials. Cisco warned customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company published a document containing recommendations against password spray attacks aimed at Remote Access VPN (RAVPN) services. The IT giant pointed out that the attacks are also targeting third-party VPN concentrators.

Now the company confirmed that the flaw CVE-2024-20481 is actively exploited in the wild.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of malicious use of the vulnerability that is described in this advisory.” continues the advisory.

Recently, tesearchers from Positive Technologies warned that unknown threat actors have attempted to exploit the now-patched vulnerability CVE-2024-37383 (CVSS score: 6.1) in the open-source Roundcube webmail software.

The attackers exploited the flaw as part of a phishing campaign aimed at stealing the credentials of Roundcube users.

In September 2024, Positive Technologies discovered an email sent to a governmental organization in a CIS country. The analysis of the timestamps indicates that the email was sent in June 2024. The content of the email was empty, and the message only included an attached document that was not visible in the email client.

The body of the email contained distinctive tags with the statement eval(atob(…)) used by the attackers to decode and execute JavaScript code. The researchers noticed that the attribute name (attributeName=”href “) contains an extra space, indicating that the email was an attempt to exploit the CVE-2024-37383 vulnerability in Roundcube Webmail.

The vulnerability impacts Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7, an attacker could exploit the vulnerability to conduct XSS attacks via SVG animate attributes. The vulnerability has been addressed in versions 1.5.7 and 1.6.7 released in May 2024.

An attacker could trigger the vulnerability to execute arbitrary JavaScript code in the context of the recipient’s web browser.

An attacker could exploit the vulnerability by tricking the recipient into opening a specially crafted email using a vulnerable Roundcube client version.

“When an extra space is added to the “href” attribute name, the syntax will not be filtered and will appear in the final document. Before this, it will be formatted as {attribute name} = {attribute value}” reads the report published by Positive Technologies. “By inserting JavaScript code as the value for “href”, we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email.”

The researchers also published PoC exploit code for this vulnerability.

The JavaScript payload employed in the attack saves an empty Word document (“Road map.docx”) and retrieves messages from the mail server using the ManageSieve plugin.

The attack creates a fake login form in Roundcube’s interface, capturing user credentials and sending them to a malicious server (libcdn.org). The domain was registered in 2024.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by November 14, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)