- 217/2023
- High
Cisco has released a security warning to mitigate a zero-day vulnerability across Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD).
The addressed zero-day vulnerability is located within the web services interface of the Cisco ASA and Cisco FTD devices, specifically the functions that deal with authentication, authorization, and accounting (AAA) functions.
This flaw could allow the unauthenticated attacker to bypass security restrictions by conducting brute force attacks against existing accounts, by accessing those accounts, the attackers can establish a clientless SSL VPN session in the breached organization’s network.
It should be highlighted that security researchers have discovered that ransomware groups are exploiting the mentioned zero-day vulnerability across Cisco VPN devices to breach corporate networks.
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Security Bypass (CVE-2023-20269):
- CVSS: 5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Bypass Security
Vulnerabilities
CVE-2023-20269
Mitigations
Security update from Cisco is in progress, up till then system administrators are urged to consider the following workarounds:
1. Use Dynamic Access Policies (DAP) for terminating VPN tunnels when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used.
2. Deny Remote Access VPN using the Default Group Policy (DfltGrpPolicy).
3. Restrict Users in the LOCAL User Database:
a. Lock Users to a Specific Connection Profile/Tunnel Group.
b. Prevent Users from Establishing Remote Access VPN Sessions.
Additionally, Cisco recommends that administrators Secure Default Remote Access VPN Profiles and Enable Logging as mentioned in Cisco’s recommendations section Cisco Security Advisory.
Finally, there is no method to completely prevent a brute force attack but Cisco encourages administrators to use multi-factor authentication to mitigate the risk.