Ransomware Gangs Exploit Cisco VPN Zero-Day Vulnerability

September 8, 2023

Cisco has alerted users about a zero-day vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), which ransomware gangs are currently exploiting to gain initial access to corporate networks. This medium severity zero-day vulnerability affects the VPN feature of the Cisco ASA and FTD, allowing unauthorized remote attackers to conduct brute force attacks on existing accounts. Successful attacks can lead to the establishment of a clientless SSL VPN session within the victim's network, the consequences of which can vary based on the network's configuration.

Previously, it was reported that the Akira ransomware gang had been breaching corporate networks primarily through Cisco VPN devices. Cybersecurity firm SentinelOne speculated this could be due to an unknown vulnerability. A week later, it was reported that the Lockbit ransomware operation was also exploiting an undocumented security problem in Cisco VPN devices. The exact nature of the issue was not clear at the time. Cisco had previously released an advisory warning that breaches were being carried out by brute forcing credentials on devices without multi-factor authentication (MFA) configured.

This week, Cisco confirmed the existence of a zero-day vulnerability, CVE-2023-20269, which these ransomware gangs have been using. Cisco provided workarounds in a temporary security bulletin but has not yet released security updates for the affected products. The CVE-2023-20269 flaw is located within the web services interface of the Cisco ASA and FTD devices, specifically in the functions that handle authentication, authorization, and accounting (AAA) functions. The flaw results from improper separation of the AAA functions and other software features, leading to scenarios where an attacker can send authentication requests to the web services interface to affect or compromise authorization components. Due to the lack of limitations on these requests, an attacker can brute force credentials using an unlimited number of username and password combinations without being rate-limited or blocked.

For the brute force attacks to be effective, the Cisco device must meet certain conditions. For devices running Cisco ASA Software Release 9.16 or earlier, an attacker can establish a clientless SSL VPN session without additional authorization upon successful authentication, provided certain conditions are met. Cisco plans to release a security update to address CVE-2023-20269. Until then, system administrators are advised to take certain actions. Cisco also suggests securing Default Remote Access VPN profiles by directing all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to detect potential attack incidents early. It's important to note that multi-factor authentication (MFA) reduces the risk, as even successfully brute-forcing account credentials wouldn't be enough to hijack MFA-secured accounts and use them to establish VPN connections.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.