CVE-2024-20384: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability in the Network Service Group (NSG) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software was discovered, identified as CVE-2024-20384. The vulnerability allows an unauthenticated, remote attacker to bypass configured access control list (ACL) rules. This medium severity vulnerability was disclosed on October 23, 2024, and affects systems running vulnerable releases of Cisco ASA Software or FTD Software with NSG ACL enabled (Cisco Advisory).

The vulnerability stems from a logic error that occurs when NSG ACLs are populated on affected devices. It has been assigned a CVSS base score of 5.8 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N. To determine if a system is vulnerable, administrators can use the command 'show access-list | inc object-group-network-service' on the device CLI. If the command returns output showing 'object-group-network-service', the NSG ACL feature is enabled and the device may be affected (Cisco Advisory).

The exploitation of this vulnerability could allow attackers to bypass protections provided by an ACL applied on an affected device. The overall impact of exploitation depends on the importance of the assets that the ACL was supposed to protect. Traffic that should be denied could flow through an affected device, potentially compromising network security (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available that address this vulnerability. Customers are advised to regularly consult the advisories for Cisco products and ensure that their devices contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release (Cisco Advisory).