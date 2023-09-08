Cisco has issued a warning about a zero-day vulnerability, named CVE-2023-20269, in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) systems. This vulnerability is actively being exploited by ransomware operations seeking to gain initial access to corporate networks. The medium severity zero-day vulnerability affects the VPN feature of these Cisco systems, enabling unauthorized remote attackers to carry out brute force attacks on existing accounts.

By gaining access to these accounts, attackers can establish a clientless SSL VPN session within the compromised network, potentially leading to various consequences depending on the victim’s network configuration. Previous reports indicated that ransomware gangs, such as Akira and Lockbit, were targeting corporate networks primarily through Cisco VPN devices, potentially leveraging an unknown vulnerability.

The flaw, located within the web services interface of Cisco ASA and Cisco FTD devices, specifically impacts authentication, authorization, and accounting (AAA) functions. Improper separation of these AAA functions from other software features allows attackers to send authentication requests to the web services interface, compromising authorization components. The flaw enables unlimited brute force attempts on credentials without any rate limitation or blocking mechanism.

While Cisco has confirmed the existence of this zero-day vulnerability and provided workarounds in an interim security bulletin, official security updates for affected products have not been released. In the meantime, system administrators are advised to mitigate the flaw by implementing measures such as using Dynamic Access Policies (DAP) to halt VPN tunnels with specific group policies, adjusting access settings in the Default Group Policy, and applying restrictions to the LOCAL user database. Cisco also recommends securing Default Remote Access VPN profiles and enabling multi-factor authentication (MFA) to minimize the risk of successful attacks.

(Source: Cisco Advisory)

Definitions:

– Cisco Adaptive Security Appliance (ASA): A security device that combines firewall, VPN, and intrusion prevention capabilities.

– Cisco Firepower Threat Defense (FTD): A unified software image that combines firewall, VPN, and intrusion prevention features.

– Zero-day vulnerability: A software vulnerability that is unknown to the vendor or developer, providing an opportunity for attackers to exploit it before a patch or update is released.

– Ransomware: A type of malicious software that encrypts a victim’s data and demands a ransom to restore access to it.

– VPN (Virtual Private Network): A network technology that allows secure communication between remote networks or devices over a public network, such as the internet.

– SSL VPN (Secure Sockets Layer Virtual Private Network): An encrypted VPN technology that provides secure remote access to network resources.

– AAA (Authentication, Authorization, and Accounting): A framework for controlling and managing access to computer systems and network resources, involving authentication of users, authorization of their access rights, and recording their activities.

Note: This article does not contain the original source URL.