Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.
The medium severity zero-day vulnerability impacts the VPN feature of Cisco ASA and Cisco FTD, allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.
By accessing those accounts, the attackers can establish a clientless SSL VPN session in the breached organization’s network, which can have varying repercussions depending on the victim’s network configuration.
Last month, BleepingComputer reported that the Akira ransomware gang was breaching corporate networks almost exclusively through Cisco VPN devices, with cybersecurity firm SentinelOne speculating that it may be through an unknown vulnerability.
A week later, Rapid7 reported that the Lockbit ransomware operation also exploited an undocumented security problem in Cisco VPN devices in addition to Akira. However, the exact nature of the problem remained unclear.
At the time, Cisco released an advisory warning that the breaches were conducted by brute forcing credentials on devices without MFA configured.
This week, Cisco confirmed the existence of a zero-day vulnerability that was used by these ransomware gangs and provided workarounds in an interim security bulletin.
However, security updates for the impacted products are not available yet.
The CVE-2023-20269 flaw is located within the web services interface of the Cisco ASA and Cisco FTD devices, specifically the functions that deal with authentication, authorization, and accounting (AAA) functions.
The flaw is caused by improperly separating the AAA functions and other software features. This leads to scenarios where an attacker can send authentication requests to the web services interface to impact or compromise authorization components.
Since these requests have no limitation, the attacker can brute force credentials using countless username and password combinations without being rate-limited or blocked for abuse.
For the brute force attacks to work, the Cisco appliance must meet the following conditions:
- At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.
- SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.
If the targeted device runs Cisco ASA Software Release 9.16 or earlier, the attacker can establish a clientless SSL VPN session without additional authorization upon successful authentication.
To establish this clientless SSL VPN session, the targeted device needs to meet these conditions:
- The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.
- The device is running Cisco ASA Software Release 9.16 or earlier.
- SSL VPN is enabled on at least one interface.
- The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.
Mitigating the flaw
Cisco will release a security update to address CVE-2023-20269, but until fixes are made available, system administrators are recommended to take the following actions:
- Use DAP (Dynamic Access Policies) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
- Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero, and ensuring that all VPN session profiles point to a custom policy.
- Implement LOCAL user database restrictions by locking specific users to a single profile with the ‘group-lock’ option, and prevent VPN setups by setting ‘vpn-simultaneous-logins’ to zero.
Cisco also recommends securing Default Remote Access VPN profiles by pointing all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to catch potential attack incidents early.
Finally, it is crucial to note that multi-factor authentication (MFA) mitigates the risk, as even successfully brute-forcing account credentials wouldn’t be enough to hijack MFA-secured accounts and use them to establish VPN connections.