Cisco Meraki MX and Z Series AnyConnect VPN Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Cisco AnyConnect VPN server on Cisco Meraki MX and Z Series devices. This vulnerability allows an authenticated, remote attacker to disrupt the AnyConnect service by causing the VPN server to restart. The issue arises because a variable is not properly initialized when an SSL VPN session is established. An attacker with valid VPN user credentials can exploit this by sending crafted attributes during the session establishment. This exploitation leads to the termination of active SSL VPN sessions, forcing users to reconnect and reauthenticate. Additionally, a sustained attack could block new SSL VPN connections from being established. Notably, the VPN server automatically recovers when the attack traffic ceases, without requiring manual intervention.

Impact

Exploitation of this vulnerability causes the Cisco AnyConnect VPN server to restart, disrupting active SSL VPN sessions and forcing users to reconnect and reauthenticate. In cases of sustained exploitation, new SSL VPN connections can be blocked from being established.

Remediation

Cisco Meraki has released software updates that address this vulnerability. Customers are advised to upgrade to a fixed release. For guidance on which releases are fixed, consult the 'Fixed Software' section of the Cisco Security Advisory related to this vulnerability.