Description
A critical vulnerability has been identified in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, designated as CVE-2023-20269. This vulnerability could allow an unauthenticated, remote attacker to conduct a brute force attack to identify valid username and password combinations or enable an authenticated attacker to establish a clientless SSL VPN session with unauthorized access.
Affected Product(s)
Cisco Adaptive Security Appliance (ASA) Software 9.12.1.2 on Cisco 3000 Series Industrial Security Appliances (ISA) and Cisco ASA 5500-X Series Firewalls, Cisco Firepower Threat Defense 6.2.3.10 and 6.2.3.11.
Technical Details
The authentication bypass vulnerability CVE-2023-20269 affecting Cisco ASA Software and Cisco FTD Software arises from improper separation of authentication, authorization, and accounting (AAA) across different features. Specifically, the issue occurs between the remote access VPN feature and the HTTPS management and site-to-site VPN features.
When exploited, attackers can specify a default connection profile/tunnel group to conduct brute-force attacks or establish clientless SSL VPN sessions, thus affecting systems running Cisco ASA Software Release 9.16 or earlier. The vulnerability does not allow attackers to bypass the need for valid credentials, meaning that valid username, password combinations, and potentially a multi-factor authentication (MFA) token are still required for access.
While attackers cannot bypass authentication, they can exploit default connection profiles that lack strict IP address pool configurations, potentially manipulating the system into unauthorized user access without creating substantial traces.
The Cisco ASA Software has experienced vulnerabilities with similar characteristics in the past, and this instance leverages the same architectural flaws in the AAA mechanisms. Versions impacted include ASA Version 9.8.1 up to 9.12.4.62, 9.14.1 up to 9.16.4.39, 9.17.1 up to 9.17.1.33, 9.18.1 up to 9.18.3.56, and 9.19.1 up to 9.19.1.22, making them susceptible to CVE-2023-20269.
Cisco has provided a security advisory detailing the measures to be taken, which encompasses steps for patching and instructions on mitigating any immediate threats while performing vulnerability assessments via authenticated QID Detection Logic. The exploitation of the vulnerability allows an attacker to establish clientless SSL VPN sessions by leveraging affected software configuration groups, which have not been correctly compartmentalized to discern VPN and management features, leading to overlapping access permissions. Consequently, attackers could traverse security boundaries using the knowledge gained from improper AAA checks or inadequate administrative segregation.
Weakness
The key weaknesses associated with this vulnerability are ‘Authentication Bypass Using an Alternate Path or Channel’ (CWE-288) and ‘Incorrect Authorization’ (CWE-863). These weaknesses relate to the improper management and separation of authentication and authorization processes.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access, identify valid user credentials, or establish a clientless SSL VPN session, thereby breaching network security boundaries. This could lead to unauthorized data exfiltration, manipulation, or even a pathway for launching further attacks against internal networks.
Active Exploitation
Reports have highlighted activity from cyberspace threat actors exploiting CVE-2023-20269. The observed activity shows adversaries leveraging this vulnerability for unauthorized access to Cisco ASA and FTD protected systems.
Threat Actors: Two ransomware strains, namely Akira and LockBit, have been noted in conjunction with exploitation attempts surrounding Cisco’s affected software installations, potentially utilizing the vulnerability as an entry vector into compromised systems for engaging in ransomware activities.
Ransomware Association
The vulnerability CVE-2023-20269 has been linked to ransomware attacks, notably involving the Akira and LockBit groups, which exploit the vulnerability to gain initial access, facilitating unauthorized control and potential for ransom demands.
Mitigation and Resolution
We have released comprehensive patches that address this vulnerability. Please update to the latest software release versions provided by Cisco. In addition to patch applications, there are several workarounds available, such as utilizing group-lock configurations and managing vpn-simultaneous-logins to further restrict unauthorized access.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Utilize the provided Cisco security advisories to perform authenticated scans and ensure appropriate version configuration.
- For unsupported devices, discontinue their use or apply mitigations as per vendor instructions.
- Regularly monitor networks and systems for anomalous activities that could suggest unauthorized access attempts.
- Enable multi-factor authentication (MFA) to strengthen access controls.
- Maintain vigilant updates of all network security policies in concordance with Cisco’s security standards and available updates.
ย References
- Cisco Security Advisory
- Zero Day Database
- CVE MITRE Information
- National Vulnerability Database
- Wilders Security Forums
View In Platform