Executive Summary

CVE-2023-20269 is a critical vulnerability identified in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability allows unauthenticated, remote attackers to conduct brute force attacks to identify valid username and password combinations or authenticated, remote attackers to establish a clientless SSL VPN session with an unauthorized user. The Akira ransomware group and Lockbit ransomware operation have been observed exploiting this vulnerability, posing a significant threat to organizations using these Cisco products. Immediate action is required to apply the necessary patches and implement the recommended workarounds to mitigate the risk of exploitation.

Technical Information

CVE-2023-20269 is a critical vulnerability that arises due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker can exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or establishing a clientless SSL VPN session using valid credentials. The vulnerability has a CVSS v3.1 Base Score of 9.1, indicating its critical nature. The attack vector is network-based, with low attack complexity and no privileges required for brute force attacks. However, valid credentials are required for establishing a clientless SSL VPN session. The impact on confidentiality and integrity is high, while availability remains unaffected.

The affected products include Cisco ASA Software Release 9.16 or earlier and Cisco Firepower Threat Defense (FTD) Software. The vulnerability has been actively exploited in the wild, with notable incidents involving the Akira ransomware group and the Lockbit ransomware operation. These groups have leveraged the vulnerability to gain unauthorized access to vulnerable systems, highlighting the urgent need for mitigation.

Exploitation in the Wild

The exploitation of CVE-2023-20269 has been observed in the wild, with specific usage by the Akira ransomware group and the Lockbit ransomware operation. These groups have exploited the vulnerability to gain unauthorized access to systems running vulnerable versions of Cisco ASA and FTD software. Indicators of Compromise (IOCs) include unusual IP addresses attempting to access VPN services, unusual login attempts, multiple failed login attempts, and abnormal network traffic patterns indicative of brute force attacks.

APT Groups using this vulnerability

The Akira ransomware group and the Lockbit ransomware operation have been identified as active exploiters of CVE-2023-20269. These groups have targeted organizations across various sectors, leveraging the vulnerability to gain unauthorized access and deploy ransomware. The exploitation of this vulnerability by these APT groups underscores the critical need for organizations to implement robust security measures and stay vigilant against potential threats.

Affected Product Versions

The affected product versions include: - Cisco ASA Software: Versions 9.16 and earlier - Cisco FTD Software: Versions 7.0.6 and 7.2.5 (Hotfixes available)

Workaround and Mitigation

Cisco has released software updates to address this vulnerability. Additionally, the following workarounds can be applied: Ensure that group-lock is configured for all connection profiles. Limit the number of simultaneous logins for VPN users. Use Dynamic Access Policies (DAP) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup. Adjust vpn-simultaneous-logins for DfltGrpPolicy to zero, and ensure that all VPN session profiles point to a custom policy. Lock specific users to a single profile with the 'group-lock' option, and prevent VPN setups by setting 'vpn-simultaneous-logins' to zero. Point all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enable logging to catch potential attack incidents early. Implement Multi-Factor Authentication (MFA) to mitigate the risk, as even successfully brute-forcing account credentials wouldn't be enough to hijack MFA-secured accounts and use them to establish VPN connections.

References

For more detailed information, please refer to the following sources: - NVD: NVD - CVE-2023-20269 (https://nvd.nist.gov/vuln/detail/CVE-2023-20269) - Cisco Security Advisory: Cisco Security Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC) - BleepingComputer: Cisco warns of VPN zero-day exploited by ransomware gangs (https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/) - CISA: CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities like CVE-2023-20269. We are committed to providing our customers with the tools and insights needed to protect their systems and data. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.