A recent vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) firewalls has been exploited by attackers seeking to gain access to vulnerable internet-exposed devices. In a security advisory, Cisco acknowledged that the vulnerability, identified as CVE-2023-20269, was discovered during the resolution of a Cisco TAC support case and expressed gratitude to Rapid7 for reporting attempted exploitation of the vulnerability.
CVE-2023-20269 specifically affects the remote access VPN feature of Cisco ASA and FTD solutions. This vulnerability potentially allows an unauthenticated, remote attacker to conduct a brute force attack in order to identify valid username and password combinations that can be used to establish an unauthorized remote access VPN session. Additionally, an authenticated, remote attacker can establish a clientless SSL VPN session with an unauthorized user, but this is only possible when running Cisco ASA Software Release 9.16 or earlier.
Cisco explained that the vulnerability arises from the improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. By specifying a default connection profile/tunnel group, an attacker could exploit this vulnerability during a brute force attack or while establishing a clientless SSL VPN session using valid credentials. However, it is important to note that the flaw does not permit attackers to bypass authentication. Valid credentials, including a valid second factor if multi-factor authentication (MFA) is configured, are still required to successfully establish a remote access VPN session.
While working on a fix for the vulnerability, Cisco has provided mitigation steps and indicators of compromise that may indicate successful exploitation. They have also offered recommendations for administrators to follow. In light of the vulnerability, Caitlin Condon, head of vulnerability research at Rapid7, emphasized that CVE-2023-20269 makes it easier for attackers to conduct brute force attacks. Rapid7 had observed brute force attacks in recent ransomware attacks against enterprises, specifically targeting Cisco ASAs that either did not have multi-factor authentication (MFA) or were not enforcing it.
According to Condon, Cisco’s security advisory did not provide specific IP addresses or attribution information regarding the vulnerability, making it challenging to discern whether there is overlap among specific attackers. She suggested that multiple attackers may exhibit similar behavior, and it is difficult to attribute the vulnerability to a single attacker or set group of attackers. Rapid7 noted in a previous blog that they witnessed several different techniques and payloads in the attacks they observed, including the Akira and LockBit ransomware strains.
As the security community acknowledges this vulnerability, organizations using Cisco ASA and FTD firewalls are urged to apply the necessary patches and follow Cisco’s provided mitigation steps to protect their systems. It is crucial to enforce strong authentication measures, such as multi-factor authentication, to enhance the security of remote access VPN sessions and prevent unauthorized access. By staying vigilant and implementing necessary security measures, organizations can safeguard their infrastructure from potential exploitation.