CVE-2024-20513

Name of the Vulnerable Software and Affected Versions Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices (affected versions not specified)

Description A vulnerability in the Cisco AnyConnect VPN server could allow an unauthenticated, remote attacker to cause a DoS condition for targeted users of the AnyConnect service on an affected device. This issue is due to insufficient entropy for handlers used during SSL VPN session establishment. An attacker could exploit this by brute forcing valid session handlers or, if authenticated, by connecting to the AnyConnect VPN service to retrieve and predict valid session handlers. The attacker would then send a crafted HTTPS request to the AnyConnect VPN server, potentially terminating targeted SSL VPN sessions and forcing users to reauthenticate.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.