CVE-2024-20509

EPSS 0.04%
Veröffentlicht 02.10.2024 19:15:14
Zuletzt bearbeitet 04.06.2025 21:15:37
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to hijack an AnyConnect VPN session or cause a denial of service (DoS) condition for individual users of the AnyConnect VPN service on an affected device.

 This vulnerability is due to weak entropy for handlers that are used during the VPN authentication process as well as a race condition that exists in the same process. An attacker could exploit this vulnerability by correctly guessing an authentication handler and then sending crafted HTTPS requests to an affected device. A successful exploit could allow the attacker to take over the AnyConnect VPN session from a target user or prevent the target user from establishing an AnyConnect VPN session with the affected device.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Meraki Mx65 Firmware Version >= 17.6.0 < 18.211.2

Cisco ≫ Meraki Mx65 Version-

Cisco ≫ Meraki Mx64 Firmware Version >= 17.6.0 < 18.211.2

Cisco ≫ Meraki Mx64 Version-

Cisco ≫ Meraki Z4c Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z4c Version-

Cisco ≫ Meraki Z4 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z4 Version-

Cisco ≫ Meraki Z3c Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z3c Version-

Cisco ≫ Meraki Z3 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z3 Version-

Cisco ≫ Meraki Vmx Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Vmx Version-

Cisco ≫ Meraki Mx600 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx600 Version-

Cisco ≫ Meraki Mx450 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx450 Version-

Cisco ≫ Meraki Mx400 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx400 Version-

Cisco ≫ Meraki Mx250 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx250 Version-

Cisco ≫ Meraki Mx105 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx105 Version-

Cisco ≫ Meraki Mx100 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx100 Version-

Cisco ≫ Meraki Mx95 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx95 Version-

Cisco ≫ Meraki Mx85 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx85 Version-

Cisco ≫ Meraki Mx84 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx84 Version-

Cisco ≫ Meraki Mx75 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx75 Version-

Cisco ≫ Meraki Mx68w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx68w Version-

Cisco ≫ Meraki Mx68cw Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx68cw Version-

Cisco ≫ Meraki Mx68 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx68 Version-

Cisco ≫ Meraki Mx67w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx67w Version-

Cisco ≫ Meraki Mx67c Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx67c Version-

Cisco ≫ Meraki Mx67 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx67 Version-

Cisco ≫ Meraki Mx65w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx65w Version-

Cisco ≫ Meraki Mx64w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx64w Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.109

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
psirt@cisco.com	5.8	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-by-QWUkqV7X

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-20509

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-20509

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-20509

EUVD