Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Safety Equipment (ASA) and Cisco Firepower Risk Protection (FTD) that’s actively exploited by ransomware operations to realize preliminary entry to company networks.
The medium severity zero-day vulnerability impacts the VPN function of Cisco ASA and Cisco FTD, permitting unauthorized distant attackers to conduct brute power assaults towards present accounts.
By accessing these accounts, the attackers can set up a clientless SSL VPN session within the breached group’s community, which may have various repercussions relying on the sufferer’s community configuration.
Final month, BleepingComputer reported that the Akira ransomware gang was breaching company networks virtually completely by way of Cisco VPN units, with cybersecurity agency SentinelOne speculating that it might be by way of an unknown vulnerability.
Every week later, Rapid7 reported that the Lockbit ransomware operation additionally exploited an undocumented security drawback in Cisco VPN units along with Akira. Nevertheless, the precise nature of the issue remained unclear.
On the time, Cisco launched an advisory warning that the breaches have been performed by brute forcing credentials on units with out MFA configured.
This week, Cisco confirmed the existence of a zero-day vulnerability that was utilized by these ransomware gangs and offered workarounds in an interim security bulletin.
Nevertheless, security updates for the impacted merchandise will not be out there but.
Vulnerability particulars
The CVE-2023-20269 flaw is situated inside the net companies interface of the Cisco ASA and Cisco FTD units, particularly the capabilities that cope with authentication, authorization, and accounting (AAA) capabilities.
The flaw is attributable to improperly separating the AAA capabilities and different software program options. This results in eventualities the place an attacker can ship authentication requests to the online companies interface to affect or compromise authorization elements.
Since these requests don’t have any limitation, the attacker can brute power credentials utilizing numerous username and password combos with out being rate-limited or blocked for abuse.
For the brute power assaults to work, the Cisco equipment should meet the next situations:
- A minimum of one person is configured with a password within the LOCAL database or HTTPS administration authentication factors to a sound AAA server.
- SSL VPN is enabled on a minimum of one interface or IKEv2 VPN is enabled on a minimum of one interface.
If the focused gadget runs Cisco ASA Software program Launch 9.16 or earlier, the attacker can set up a clientless SSL VPN session with out further authorization upon profitable authentication.
To ascertain this clientless SSL VPN session, the focused gadget wants to satisfy these situations:
- The attacker has legitimate credentials for a person current both within the LOCAL database or within the AAA server used for HTTPS administration authentication. These credentials could possibly be obtained utilizing brute power assault strategies.
- The gadget is operating Cisco ASA Software program Launch 9.16 or earlier.
- SSL VPN is enabled on a minimum of one interface.
- The clientless SSL VPN protocol is allowed within the DfltGrpPolicy.
Mitigating the flaw
Cisco will launch a security replace to deal with CVE-2023-20269, however till fixes are made out there, system directors are really helpful to take the next actions:
- Use DAP (Dynamic Entry Insurance policies) to cease VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
- Deny entry with Default Group Coverage by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero, and guaranteeing that each one VPN session profiles level to a customized coverage.
- Implement LOCAL person database restrictions by locking particular customers to a single profile with the ‘group-lock’ choice, and forestall VPN setups by setting ‘vpn-simultaneous-logins’ to zero.
Cisco additionally recommends securing Default Distant Entry VPN profiles by pointing all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to catch potential assault incidents early.
Lastly, it’s essential to notice that multi-factor authentication (MFA) mitigates the danger, as even efficiently brute-forcing account credentials would not be sufficient to hijack MFA-secured accounts and use them to ascertain VPN connections.
