CVE-2024-20500 — Uncontrolled Resource Consumption in Cisco Meraki Mx100 Firmware

CWE-400 — Uncontrolled Resource Consumption CWE-415 — Double Free CWE-639 — Authorization Bypass Through User-Controlled Key CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

7.5HIGHNVD

CNA5.8

EPSS

0.4%

top 41.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Meraki Mx100 Firmware Cisco Meraki Mx105 Firmware Cisco Meraki Mx250 Firmware +23 more

Timeline

PublishedOct 2

Description

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device. This vulnerability is due to insufficient resource management when establishing TLS/SSL sessions. An attacker could exploit this vulnerability by sending a series of crafted TLS/SSL messages to the VPN server of an affected device. A successful exploit c…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages26 packages

▶NVDcisco/meraki_z3_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z4_firmware16.2 — 18.211.2

▶NVDcisco/meraki_vmx_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z3c_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z4c_firmware16.2 — 18.211.2

🔴Vulnerability Details

CVEList

CVE-2024-20500: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica↗2024-10-02

▶

GHSA

GHSA-7pgw-6p7m-45vf: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica↗2024-10-02

▶

📋Vendor Advisories

Cisco

Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities↗2024-10-02

▶