CVE-2023-20269: Zero-Day Vulnerability in Cisco Adaptive Security Appliance and Firepower Threat Defense Reportedly Exploited by Ransomware Groups

Ransomware groups including LockBit and Akira are reportedly exploiting a zero-day vulnerability palmy Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) appliances with VPN functionality enabled.

Background

On September 6, Cisco published an advisory for a zero-day vulnerability palmy the bundle for its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) appliances that has been reportedly exploited palmy the wild:

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog presumption was published connected September XX and reflects VPR astatine that time.

Analysis

CVE-2023-20269 is an unauthorized entree vulnerability palmy the distant entree VPN diagnostic of the Cisco ASA and FTD software. According to Cisco, the vulnerability exists owed to the “improper separation of authentication, authorization, and accounting (AAA) betwixt the distant entree VPN diagnostic and the HTTPS absorption and site-to-site VPN features.”

Exploitation is not considered straightforward, arsenic determination are prerequisites required palmy each publication for an onslaught to beryllium successful.

Scenario #1: Brute portion attack

A remote, unauthenticated attacker tin effort to brute-force username and passwords for the susceptible system. In bid for exploitation to occur, the susceptible strategy needs to incorporated 1 idiosyncratic with a password palmy the conception database oregon the HTTPS absorption authentication points backmost to a valid AAA server. In addition, either SSL VPN oregon IKEv2 VPN indispensable beryllium enabled connected astatine slightest 1 interface. Scenario #2: Clientless SSL VPN Session

A remote, authenticated attacker utilizing valid credentials establishes a “clientless SSL VPN league with an unauthorized user.”

As noted palmy the scenario, the attacker indispensable archetypal idiosyncratic valid credentials recovered palmy the conception database oregon AAA server utilized for HTTPS absorption authentication, either done a brute portion onslaught oregon utilizing stolen credentials purchased from the acheronian web. The targeted strategy indispensable beryllium moving a susceptible mentation of Cisco ASA software, which includes versions 9.16 and below. The SSL VPN diagnostic indispensable beryllium enabled connected astatine slightest 1 interface and the DfltGrpPolicy extremist argumentation indispensable spot the clientless SSL VPN protocol.

LockBit and Akira ransomware groups idiosyncratic been targeting Cisco ASA systems

On August 24, Cisco’s Product Security Incident Response Team (PSIRT) published a blog post noting that the Akira ransomware extremist and its affiliates idiosyncratic been targeting Cisco VPNs arsenic acold backmost arsenic March 2023, peculiarly those systems that idiosyncratic not been configured with multi-factor authentication (MFA). Additionally, the LockBit ransomware extremist has also been linked to attacks against Cisco ASA systems not protected with MFA.

Ransomware groups and their affiliates utilize a myriad of ways to breach organizations, including done the exploitation of immoderate known and zero-day vulnerabilities. For overmuch insights into ransomware and the assorted players involved, delight enactment our survey called “The Ransomware Ecosystem.”

SSL VPNs proceed to proviso a reliable doorway for attacks

For the past less years, the Tenable Security Response Team (SRT) has been informing that SSL VPNs are an cleanable and reliable doorway for attackers to breach organizations. There idiosyncratic been respective notable vulnerabilities palmy a assortment of SSL VPN systems including Citrix, Pulse Secure and Fortinet. The find of attacks against Cisco ASA and FTD systems reportedly utilizing CVE-2023-20269 serves arsenic an important reminder of the worth of safeguarding SSL VPNs from attacks conducted by ransomware groups and antithetic cybercriminals.

Proof of concept

At the clip this blog presumption was published, determination was nary nationalist proof-of-concept (PoC) for CVE-2023-20269.

Solution

As of September 11, determination were nary fixed versions of Cisco ASA oregon FTD bundle that codification this vulnerability. Instead, Cisco has shared a assortment of workarounds to assistance thwart exploitation attempts.

The pursuing Cisco products are not affected by CVE-2023-20269:

• Firepower Management Center (FMC) Software
• FXOS Software
• IOS Software
• IOS XE Software
• IOS XR Software
• NX-OS Software

Additionally, Cisco has shared indicators of compromise that tin beryllium utilized to find if attempts to exploit the instrumentality idiosyncratic been observed oregon idiosyncratic been successful.

Identifying affected systems

A database of Tenable plugins to spot tin beryllium located connected the idiosyncratic CVE leafage for CVE-2023-20269 arsenic they’re released. This nexus volition amusement each disposable plugins for this vulnerability, including upcoming plugins palmy our Plugins Pipeline.

Presently, Plugin ID 181183 is disposable for CVE-2023-20269 and tin beryllium utilized to assistance spot susceptible systems based connected the configuration requirements outlined palmy Cisco’s advisory.

Additionally, the pursuing detection plugins tin beryllium utilized to spot ASA and FTD devices palmy your concern including those with SSL VPN enabled:

Get overmuch information

• Cisco Security Advisory for CVE-2023-20269
• Cisco PSIRT Blog Post connected Akira Ransomware Targeting VPNs without MFA
• TechTarget: Cisco VPNs nether onslaught via Akira, LockBit ransomware

Join Tenable's Security Response Team connected the Tenable Community.

Learn overmuch astir Tenable One, the Exposure Management Platform for the modern onslaught surface.

Satnam Narang

Satnam joined Tenable palmy 2018. He has implicit 15 years acquisition palmy the manufacture (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped marque a Social Networking Guide for the National Cyber Security Alliance, uncovered a immense spam botnet connected Twitter and was the archetypal to survey connected spam bots connected Tinder. He's appeared connected NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

Interests extracurricular of work: Satnam writes poesy and makes hip-hop music. He enjoys unrecorded music, spending clip with his three nieces, changeable and basketball, Bollywood movies and euphony and Grogu (Baby Yoda).