CVE-2023-20269: Zero-Day Vulnerability in Cisco Adaptive Security Appliance and Firepower Threat Defense Reportedly Exploited by Ransomware Groups

Ransomware groups including LockBit and Akira are reportedly exploiting a zero-day vulnerability successful Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) appliances with VPN functionality enabled.

Background

On September 6, Cisco published an advisory for a zero-day vulnerability successful the bundle for its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) appliances that has been reportedly exploited successful the wild:

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog station was published connected September XX and reflects VPR astatine that time.

Analysis

CVE-2023-20269 is an unauthorized entree vulnerability successful the distant entree VPN diagnostic of the Cisco ASA and FTD software. According to Cisco, the vulnerability exists owed to the “improper separation of authentication, authorization, and accounting (AAA) betwixt the distant entree VPN diagnostic and the HTTPS absorption and site-to-site VPN features.”

Exploitation is not considered straightforward, arsenic determination are prerequisites required successful each script for an onslaught to beryllium successful.

Scenario #1: Brute unit attack

A remote, unauthenticated attacker tin effort to brute-force username and passwords for the susceptible system. In bid for exploitation to occur, the susceptible strategy needs to incorporate 1 idiosyncratic with a password successful the section database oregon the HTTPS absorption authentication points backmost to a valid AAA server. In addition, either SSL VPN oregon IKEv2 VPN indispensable beryllium enabled connected astatine slightest 1 interface. Scenario #2: Clientless SSL VPN Session

A remote, authenticated attacker utilizing valid credentials establishes a “clientless SSL VPN league with an unauthorized user.”

As noted successful the scenario, the attacker indispensable archetypal person valid credentials recovered successful the section database oregon AAA server utilized for HTTPS absorption authentication, either done a brute unit onslaught oregon utilizing stolen credentials purchased from the acheronian web. The targeted strategy indispensable beryllium moving a susceptible mentation of Cisco ASA software, which includes versions 9.16 and below. The SSL VPN diagnostic indispensable beryllium enabled connected astatine slightest 1 interface and the DfltGrpPolicy radical argumentation indispensable see the clientless SSL VPN protocol.

LockBit and Akira ransomware groups person been targeting Cisco ASA systems

On August 24, Cisco’s Product Security Incident Response Team (PSIRT) published a blog post noting that the Akira ransomware radical and its affiliates person been targeting Cisco VPNs arsenic acold backmost arsenic March 2023, particularly those systems that person not been configured with multi-factor authentication (MFA). Additionally, the LockBit ransomware radical has also been linked to attacks against Cisco ASA systems not protected with MFA.

Ransomware groups and their affiliates utilize a myriad of ways to breach organizations, including done the exploitation of some known and zero-day vulnerabilities. For much insights into ransomware and the assorted players involved, delight work our study called “The Ransomware Ecosystem.”

SSL VPNs proceed to supply a reliable doorway for attacks

For the past fewer years, the Tenable Security Response Team (SRT) has been informing that SSL VPNs are an perfect and reliable doorway for attackers to breach organizations. There person been respective notable vulnerabilities successful a assortment of SSL VPN systems including Citrix, Pulse Secure and Fortinet. The find of attacks against Cisco ASA and FTD systems reportedly utilizing CVE-2023-20269 serves arsenic an important reminder of the value of safeguarding SSL VPNs from attacks conducted by ransomware groups and different cybercriminals.

Proof of concept

At the clip this blog station was published, determination was nary nationalist proof-of-concept (PoC) for CVE-2023-20269.

Solution

As of September 11, determination were nary fixed versions of Cisco ASA oregon FTD bundle that code this vulnerability. Instead, Cisco has shared a assortment of workarounds to assistance thwart exploitation attempts.

The pursuing Cisco products are not affected by CVE-2023-20269:

• Firepower Management Center (FMC) Software
• FXOS Software
• IOS Software
• IOS XE Software
• IOS XR Software
• NX-OS Software

Additionally, Cisco has shared indicators of compromise that tin beryllium utilized to find if attempts to exploit the instrumentality person been observed oregon person been successful.

Identifying affected systems

A database of Tenable plugins to place tin beryllium located connected the idiosyncratic CVE leafage for CVE-2023-20269 arsenic they’re released. This nexus volition show each disposable plugins for this vulnerability, including upcoming plugins successful our Plugins Pipeline.

Presently, Plugin ID 181183 is disposable for CVE-2023-20269 and tin beryllium utilized to assistance place susceptible systems based connected the configuration requirements outlined successful Cisco’s advisory.

Additionally, the pursuing detection plugins tin beryllium utilized to place ASA and FTD devices successful your situation including those with SSL VPN enabled:

Get much information

• Cisco Security Advisory for CVE-2023-20269
• Cisco PSIRT Blog Post connected Akira Ransomware Targeting VPNs without MFA
• TechTarget: Cisco VPNs nether onslaught via Akira, LockBit ransomware

Join Tenable's Security Response Team connected the Tenable Community.

Learn much astir Tenable One, the Exposure Management Platform for the modern onslaught surface.

Satnam Narang

Satnam joined Tenable successful 2018. He has implicit 15 years acquisition successful the manufacture (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped make a Social Networking Guide for the National Cyber Security Alliance, uncovered a immense spam botnet connected Twitter and was the archetypal to study connected spam bots connected Tinder. He's appeared connected NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

Interests extracurricular of work: Satnam writes poesy and makes hip-hop music. He enjoys unrecorded music, spending clip with his three nieces, shot and basketball, Bollywood movies and euphony and Grogu (Baby Yoda).