Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Safety Equipment (ASA) and Cisco Firepower Menace Protection (FTD) that’s actively exploited by ransomware operations to realize preliminary entry to company networks.
The medium severity zero-day vulnerability impacts the VPN characteristic of Cisco ASA and Cisco FTD, permitting unauthorized distant attackers to conduct brute drive assaults towards current accounts.
By accessing these accounts, the attackers can set up a clientless SSL VPN session within the breached group’s community, which may have various repercussions relying on the sufferer’s community configuration.
Final month, BleepingComputer reported that the Akira ransomware gang was breaching company networks virtually solely by means of Cisco VPN gadgets, with cybersecurity agency SentinelOne speculating that it might be by means of an unknown vulnerability.
Per week later, Rapid7 reported that the Lockbit ransomware operation additionally exploited an undocumented safety downside in Cisco VPN gadgets along with Akira. Nevertheless, the precise nature of the issue remained unclear.
On the time, Cisco launched an advisory warning that the breaches had been carried out by brute forcing credentials on gadgets with out MFA configured.
This week, Cisco confirmed the existence of a zero-day vulnerability that was utilized by these ransomware gangs and offered workarounds in an interim safety bulletin.
Nevertheless, safety updates for the impacted merchandise are usually not accessible but.
Vulnerability particulars
The CVE-2023-20269 flaw is situated throughout the internet companies interface of the Cisco ASA and Cisco FTD gadgets, particularly the features that take care of authentication, authorization, and accounting (AAA) features.
The flaw is brought on by improperly separating the AAA features and different software program options. This results in eventualities the place an attacker can ship authentication requests to the online companies interface to affect or compromise authorization elements.
Since these requests don’t have any limitation, the attacker can brute drive credentials utilizing numerous username and password mixtures with out being rate-limited or blocked for abuse.
For the brute drive assaults to work, the Cisco equipment should meet the next situations:
- A minimum of one consumer is configured with a password within the LOCAL database or HTTPS administration authentication factors to a sound AAA server.
- SSL VPN is enabled on not less than one interface or IKEv2 VPN is enabled on not less than one interface.
If the focused gadget runs Cisco ASA Software program Launch 9.16 or earlier, the attacker can set up a clientless SSL VPN session with out further authorization upon profitable authentication.
To determine this clientless SSL VPN session, the focused gadget wants to satisfy these situations:
- The attacker has legitimate credentials for a consumer current both within the LOCAL database or within the AAA server used for HTTPS administration authentication. These credentials might be obtained utilizing brute drive assault strategies.
- The gadget is operating Cisco ASA Software program Launch 9.16 or earlier.
- SSL VPN is enabled on not less than one interface.
- The clientless SSL VPN protocol is allowed within the DfltGrpPolicy.
Mitigating the flaw
Cisco will launch a safety replace to deal with CVE-2023-20269, however till fixes are made accessible, system directors are advisable to take the next actions:
- Use DAP (Dynamic Entry Insurance policies) to cease VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
- Deny entry with Default Group Coverage by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero, and guaranteeing that every one VPN session profiles level to a customized coverage.
- Implement LOCAL consumer database restrictions by locking particular customers to a single profile with the ‘group-lock’ choice, and forestall VPN setups by setting ‘vpn-simultaneous-logins’ to zero.
Cisco additionally recommends securing Default Distant Entry VPN profiles by pointing all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to catch potential assault incidents early.
Lastly, it’s essential to notice that multi-factor authentication (MFA) mitigates the danger, as even efficiently brute-forcing account credentials would not be sufficient to hijack MFA-secured accounts and use them to ascertain VPN connections.