Unpatched Cisco ASA flaw exploited by attackers (CVE-2023-20269)

A vulnerability (CVE-2023-20269) in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) firewalls is being exploited by attackers to gain access to vulnerable internet-exposed devices.

“This vulnerability was found during the resolution of a Cisco TAC support case,” the company noted in a recently published security advisory, and thanked Rapid7 for reporting attempted exploitation of this vulnerability.

About CVE-2023-20269

CVE-2023-20269 affects the remote access VPN feature of Cisco ASA and FTD solutions.

It may allow:

• An unauthenticated, remote attacker to conduct a brute force attack to identify valid username and password combinations that can be used to establish an unauthorized remote access VPN session, or
• An authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user (but only when running Cisco ASA Software Release 9.16 or earlier)

Both approaches require certain conditions to be met.

“This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explained.

“An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials.”

But the company made sure to note that the flaw does not allow attackers to bypass authentication. “To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured.”

Exploitation

While it works on fixing the vulnerability, Cisco has provided mitigation steps and indicators of compromise that might point to successful exploitation, as well as recommandations for admins.

Caitlin Condon, head of vulnerability research at Rapid7, says that CVE-2023-20269 enables attackers to more easily conduct brute force attacks, and that brute forcing was one of the techniques the company observed in recent ransomware attacks against enterprises, which started with brute-forcing Cisco ASAs that either did not have multi-factor authentication (MFA) or were not enforcing it.

“Cisco didn’t cite specific IPs or attribution information for the vulnerability in their advisory. They talked about attacker behavior a bit, but many attackers could have the same behavior. It’s not possible to discern whether there’s specific attacker overlap without more information,” she told Help Net Security.

“As we noted in our original blog on this, Rapid7 observed a number of different techniques being used, and a number of different payloads, including Akira and LockBit ransomware. Those attacks were all different. I’d reject the premise that there’s a single attacker or a set group of attackers.”