As per the CVE, the detailed information is available in the advisory : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC;
I request you to kindly go through the same to understand Cisco's recommendation.
To highlight:
* CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Défense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.
* The medium severity zero-day vulnerability impacts the VPN feature of Cisco ASA and Cisco FTD, allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.
* The CVE-2023-20269 flaw is located within the web services interface of the Cisco ASA and Cisco FTD devices, specifically the functions that deal with authentication, authorization, and accounting (AAA) functions.
* The flaw is caused by improperly separating the AAA functions and other software features. This leads to scenarios where an attacker can send authentication requests to the web services interface to impact or compromise authorization components.
* Since these requests have no limitation, the attacker can brute force credentials using countless username and password combinations without being rate-limited or blocked for abuse.
For the brute force attacks to work, the Cisco appliance must meet the following conditions:
* At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.
* SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.
To establish this clientless SSL VPN session, the targeted device needs to meet these conditions:
* The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.
* The device is running Cisco ASA Software Release 9.16 or earlier.
* SSL VPN is enabled on at least one interface.
* The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.
Mitigating the flaw
* Cisco will release a security update to address CVE-2023-20269, but until fixes are made available, system administrators are recommended to take the following actions:
* Use DAP (Dynamic Access Policies) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
* Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero and ensuring that all VPN session profiles point to a custom policy.
* Implement LOCAL user database restrictions by locking specific users to a single profile with the 'group-lock' option and prevent VPN setups by setting 'vpn-simultaneous-logins' to zero.
* Cisco also recommends securing Default Remote Access VPN profiles by pointing all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to catch potential attack incidents early.
Finally, it is crucial to note that multi-factor authentication (MFA) mitigates the risk, as even successfully brute-forcing account credentials wouldn't be enough to hijack MFA-secured accounts and use them to establish VPN connections.
Reference:
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC;
Cisco warns of VPN zero-day exploited by ransomware gangs (bleepingcomputer.com)https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/;
