A vulnerability (CVE-2023-20269) in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) firewalls is being exploited by attackers to gain access to vulnerable devices exposed to the Internet.
“This vulnerability was discovered during the resolution of a Cisco TAC support case,” the company noted in a recently published security advisory, and thanked Rapid7 for reporting an attempt to exploit this vulnerability.
CVE-2023-20269 affects the Remote Access VPN functionality of Cisco ASA and FTD solutions.
It can allow:
- An unauthenticated remote attacker to conduct a brute force attack to identify valid username and password combinations that can be used to establish an unauthorized remote access VPN session, or
- An authenticated remote attacker to establish a clientless SSL VPN session with an unauthorized user (but only when running Cisco ASA software version 9.16 or earlier)
Both approaches require certain conditions to be met.
“This vulnerability is due to improper separation of Authentication, Authorization, and Accounting (AAA) between Remote Access VPN functionality and HTTPS management and Site-to-Site VPN functionality,” Cisco explain.
“An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or establishing a clientless SSL VPN session using valid credentials.”
But the company was careful to note that the flaw does not allow attackers to bypass authentication. “To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured.”
While working to remediate the vulnerability, Cisco has provided mitigation steps and indicators of compromise that could indicate successful exploitation, as well as recommendations for administrators.
Caitlin Condon, head of vulnerability research at Rapid7, says CVE-2023-20269 makes it easier for attackers to carry out brute force attacks, and that brute forcing was one of the techniques the company observed during recent ransomware attacks against businesses, which started with brutal attacks. – force Cisco ASAs that did not have multi-factor authentication (MFA) or did not apply it.
“Cisco did not cite specific IP addresses or attribution information for the vulnerability in its advisory. They talked a little about attacker behavior, but many attackers might have the same behavior. It is not possible to discern whether there is an overlap of specific attackers without more information,” she told Help Net Security.
“As we noted in our original blog on this subject, Rapid7 observed the use of a number of different techniques and a number of different payloads, including Akira and LockBit ransomware. These attacks were all different. I would reject the hypothesis that there is a single attacker or a defined group of attackers.