CVE-2023-20269: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability

At the time of publication, this vulnerability affected Cisco devices if they were running a vulnerable release of Cisco ASA or FTD Software. The exact conditions to determine whether a device is vulnerable depend on the desired outcome, as detailed below.

For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Brute Force Attack

The brute force attack can be executed if both of the following conditions are met:

• At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.
• SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.

A successful brute force attack would allow an attacker to obtain valid username and password combinations that could then be used to establish an unauthorized remote access VPN session.

Unauthorized Clientless SSL VPN Session Establishment

To successfully establish a clientless SSL VPN session, all of the following conditions need to be met:

• The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.
• The device is running Cisco ASA Software Release 9.16 or earlier.
• SSL VPN is enabled on at least one interface.
• The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.

Note: When running Cisco FTD Software, this attack cannot succeed as Cisco FTD Software does not support the clientless SSL VPN feature.

Determine the Device Configuration

To determine the configuration settings for the LOCAL database, HTTPS management authentication, IKEv2 VPN, SSL VPN, and clientless SSL VPN protocol on a device, use the following instructions.

Assess the LOCAL User Database

Use the show running-config username | include password CLI command to determine if a local user with a password configured is present in the LOCAL database. Non-empty output of this command indicates that at least one user with a password is configured. Empty output of this command indicates that no user with a password set is configured.

The LOCAL user database is empty by default.

Assess the HTTPS Management Authentication Configuration

Use the show running-config aaa authentication | include http CLI command to determine whether HTTPS management authentication points to a valid AAA server. The following example shows the output of the show running-config aaa authentication | include http command on a device that points to AAA server ISE for HTTPS management authentication:

asa# show running-config aaa authentication | include http
aaa authentication http console ISE

The following example shows the output of this command on a device that points to the LOCAL database:

asa# show running-config aaa authentication | include http
aaa authentication http console LOCAL

HTTPS management authentication is not configured by default.

Notes:

• When running Cisco ASA Software, the aaa authentication http console command can also list both a AAA server and LOCAL. In this case, only the LOCAL database is used if the configured AAA server is not reachable.
• When running Cisco FTD Software, the aaa authentication http console aaa_server command can be pushed using FlexConfig only, and the LOCAL option is not supported.

Assess the IKEv2 VPN Configuration

Use the show running-config crypto ikev2 | include crypto ikev2 enable CLI command to determine whether IKEv2 VPN is enabled on any interface. Non-empty output of this command indicates that IKEv2 VPN is enabled on the listed interface(s). Empty output indicates that IKEv2 VPN is not enabled on any interface.

The following example shows the output of the show running-config crypto ikev2 | include crypto ikev2 enable command on a device that has IKEv2 VPN enabled on the outside interface:

asa# show running-config crypto ikev2 | include crypto ikev2 enable
crypto ikev2 enable outside

IKEv2 VPN is not enabled on any interface by default.

Note: The crypto ikev2 enable command may specify an additional client-services option that may include an optional port parameter. These options do not affect the device status in regard to this vulnerability.

Assess the SSL VPN Configuration

Use the show running-config webvpn | include ^ enable CLI command to determine whether SSL VPN is enabled on any interface. Non-empty output of this command indicates that SSL VPN is enabled on the listed interface(s). Empty output indicates that SSL VPN is not enabled on any interface.

The following example shows the output of the show running-config webvpn | include ^ enable command on a device that has SSL VPN enabled on the outside interface:

asa# show running-config webvpn | include ^ enable
enable outside

SSL VPN is not enabled on any interface by default.

Assess the Clientless SSL VPN Protocol Configuration

Use the show running-config all group-policy DfltGrpPolicy | include vpn-tunnel-protocol CLI command to determine if the clientless SSL VPN protocol is allowed in the DfltGrpPolicy. If the output of this command includes ssl-clientless, as shown in the following example, then the clientless SSL VPN protocol is allowed:

asa# show running-config all group-policy DfltGrpPolicy | include vpn-tunnel-protocol
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless

The clientless SSL VPN protocol is allowed in the DfltGrpPolicy by default.

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

• Firepower Management Center (FMC) Software
• FXOS Software
• IOS Software
• IOS XE Software
• IOS XR Software
• NX-OS Software