CVE-2024-20513Authorization Bypass Through User-Controlled Key in Cisco Meraki Mx100 Firmware

CWE-639Authorization Bypass Through User-Controlled KeyCWE-400Uncontrolled Resource ConsumptionCWE-415Double FreeCWE-787Out-of-bounds Write4 documents4 sources
Severity
5.3MEDIUMNVD
CNA5.8
EPSS
0.3%
top 46.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
26
Cisco Meraki Mx100 FirmwareCisco Meraki Mx105 FirmwareCisco Meraki Mx250 Firmware+23 more
Timeline
PublishedOct 2

Description

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition for targeted users of the AnyConnect service on an affected device. This vulnerability is due to insufficient entropy for handlers that are used during SSL VPN session establishment. An unauthenticated attacker could exploit this vulnerability by brute forcing valid session handlers. An authenticated a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages26 packages

NVDcisco/meraki_z3_firmware16.218.211.2
NVDcisco/meraki_z4_firmware16.218.211.2
NVDcisco/meraki_vmx_firmware16.218.211.2
NVDcisco/meraki_z3c_firmware16.218.211.2
NVDcisco/meraki_z4c_firmware16.218.211.2

🔴Vulnerability Details

2
GHSA
GHSA-45f4-7wmp-8679: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica2024-10-02
CVEList
CVE-2024-20513: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica2024-10-02

📋Vendor Advisories

1
Cisco
Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities2024-10-02
CVE-2024-20513 — Cisco vulnerability | cvebase