CVE-2024-20384

23.10.2024, 18:15

A vulnerability in the Network Service Group (NSG) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device.

 This vulnerability is due to a logic error that occurs when NSG ACLs are populated on an affected device. An attacker could exploit this vulnerability by establishing a connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.8 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
cisco	CNA	5.8 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
cisco	adaptive_security_appliance_software	9.16.1
cisco	adaptive_security_appliance_software	9.16.1.28
cisco	adaptive_security_appliance_software	9.16.2
cisco	adaptive_security_appliance_software	9.16.2.3
cisco	adaptive_security_appliance_software	9.16.2.7
cisco	adaptive_security_appliance_software	9.16.2.11
cisco	adaptive_security_appliance_software	9.16.2.13
cisco	adaptive_security_appliance_software	9.16.2.14
cisco	adaptive_security_appliance_software	9.16.3
cisco	adaptive_security_appliance_software	9.16.3.3
cisco	adaptive_security_appliance_software	9.16.3.14
cisco	adaptive_security_appliance_software	9.16.3.15
cisco	adaptive_security_appliance_software	9.16.3.19
cisco	adaptive_security_appliance_software	9.16.3.23
cisco	adaptive_security_appliance_software	9.16.4
cisco	adaptive_security_appliance_software	9.16.4.9
cisco	adaptive_security_appliance_software	9.16.4.14
cisco	adaptive_security_appliance_software	9.16.4.18
cisco	adaptive_security_appliance_software	9.16.4.19
cisco	adaptive_security_appliance_software	9.16.4.27
cisco	adaptive_security_appliance_software	9.16.4.38
cisco	adaptive_security_appliance_software	9.16.4.39
cisco	adaptive_security_appliance_software	9.16.4.42
cisco	adaptive_security_appliance_software	9.16.4.48
cisco	adaptive_security_appliance_software	9.16.4.55
cisco	adaptive_security_appliance_software	9.16.4.57
cisco	adaptive_security_appliance_software	9.16.4.61
cisco	adaptive_security_appliance_software	9.17.1
cisco	adaptive_security_appliance_software	9.17.1.7
cisco	adaptive_security_appliance_software	9.17.1.9
cisco	adaptive_security_appliance_software	9.17.1.10
cisco	adaptive_security_appliance_software	9.17.1.11
cisco	adaptive_security_appliance_software	9.17.1.13
cisco	adaptive_security_appliance_software	9.17.1.15
cisco	adaptive_security_appliance_software	9.17.1.20
cisco	adaptive_security_appliance_software	9.17.1.30
cisco	adaptive_security_appliance_software	9.17.1.33
cisco	adaptive_security_appliance_software	9.17.1.39
cisco	adaptive_security_appliance_software	9.18.1
cisco	adaptive_security_appliance_software	9.18.1.3
cisco	adaptive_security_appliance_software	9.18.2
cisco	adaptive_security_appliance_software	9.18.2.5
cisco	adaptive_security_appliance_software	9.18.2.7
cisco	adaptive_security_appliance_software	9.18.2.8
cisco	adaptive_security_appliance_software	9.18.3
cisco	adaptive_security_appliance_software	9.18.3.39
cisco	adaptive_security_appliance_software	9.18.3.46
cisco	adaptive_security_appliance_software	9.18.3.53
cisco	adaptive_security_appliance_software	9.18.3.55
cisco	adaptive_security_appliance_software	9.18.3.56
cisco	adaptive_security_appliance_software	9.18.4
cisco	adaptive_security_appliance_software	9.18.4.5
cisco	adaptive_security_appliance_software	9.18.4.8
cisco	adaptive_security_appliance_software	9.18.4.22
cisco	adaptive_security_appliance_software	9.18.4.24
cisco	adaptive_security_appliance_software	9.18.4.29
cisco	adaptive_security_appliance_software	9.19.1
cisco	adaptive_security_appliance_software	9.19.1.5
cisco	adaptive_security_appliance_software	9.19.1.9
cisco	adaptive_security_appliance_software	9.19.1.12
cisco	adaptive_security_appliance_software	9.19.1.18
cisco	adaptive_security_appliance_software	9.19.1.22
cisco	adaptive_security_appliance_software	9.19.1.24
cisco	adaptive_security_appliance_software	9.19.1.27
cisco	adaptive_security_appliance_software	9.19.1.28
cisco	adaptive_security_appliance_software	9.19.1.31
cisco	adaptive_security_appliance_software	9.20.1
cisco	adaptive_security_appliance_software	9.20.1.5
cisco	adaptive_security_appliance_software	9.20.2
cisco	adaptive_security_appliance_software	9.20.2.10
cisco	adaptive_security_appliance_software	9.20.2.21
cisco	adaptive_security_appliance_software	9.20.2.22
cisco	firepower_threat_defense	7.0.0
cisco	firepower_threat_defense	7.0.0.1
cisco	firepower_threat_defense	7.0.1
cisco	firepower_threat_defense	7.0.1.1
cisco	firepower_threat_defense	7.0.2
cisco	firepower_threat_defense	7.0.2.1
cisco	firepower_threat_defense	7.0.3
cisco	firepower_threat_defense	7.0.4
cisco	firepower_threat_defense	7.0.5
cisco	firepower_threat_defense	7.0.6
cisco	firepower_threat_defense	7.0.6.1
cisco	firepower_threat_defense	7.0.6.2
cisco	firepower_threat_defense	7.1.0
cisco	firepower_threat_defense	7.1.0.1
cisco	firepower_threat_defense	7.1.0.2
cisco	firepower_threat_defense	7.1.0.3
cisco	firepower_threat_defense	7.2.0
cisco	firepower_threat_defense	7.2.0.1
cisco	firepower_threat_defense	7.2.1
cisco	firepower_threat_defense	7.2.2
cisco	firepower_threat_defense	7.2.3
cisco	firepower_threat_defense	7.2.4
cisco	firepower_threat_defense	7.2.4.1
cisco	firepower_threat_defense	7.2.5
cisco	firepower_threat_defense	7.2.5.1
cisco	firepower_threat_defense	7.2.5.2
cisco	firepower_threat_defense	7.2.6
cisco	firepower_threat_defense	7.2.7
cisco	firepower_threat_defense	7.2.8
cisco	firepower_threat_defense	7.2.8.1
cisco	firepower_threat_defense	7.3.0
cisco	firepower_threat_defense	7.3.1
cisco	firepower_threat_defense	7.3.1.1
cisco	firepower_threat_defense	7.3.1.2
cisco	firepower_threat_defense	7.4.0
cisco	firepower_threat_defense	7.4.1
cisco	firepower_threat_defense	7.4.1.1
cisco	firepower_threat_defense	7.4.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-290 - Authentication Bypass by Spoofing
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-nsgacl-bypass-77XnEAsL