Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-20269: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability

A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.

CVE
#vulnerability#web#ios#cisco#auth#ssl

At the time of publication, this vulnerability affected Cisco devices if they were running a vulnerable release of Cisco ASA or FTD Software. The exact conditions to determine whether a device is vulnerable depend on the desired outcome, as detailed below.

For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Brute Force Attack

The brute force attack can be executed if both of the following conditions are met:

  • At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.
  • SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.

A successful brute force attack would allow an attacker to obtain valid username and password combinations that could then be used to establish an unauthorized remote access VPN session.

Unauthorized Clientless SSL VPN Session Establishment

To successfully establish a clientless SSL VPN session, all of the following conditions need to be met:

  • The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.
  • The device is running Cisco ASA Software Release 9.16 or earlier.
  • SSL VPN is enabled on at least one interface.
  • The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.

Note: When running Cisco FTD Software, this attack cannot succeed as Cisco FTD Software does not support the clientless SSL VPN feature.

Determine the Device Configuration

To determine the configuration settings for the LOCAL database, HTTPS management authentication, IKEv2 VPN, SSL VPN, and clientless SSL VPN protocol on a device, use the following instructions.

Assess the LOCAL User Database

Use the show running-config username | include password CLI command to determine if a local user with a password configured is present in the LOCAL database. Non-empty output of this command indicates that at least one user with a password is configured. Empty output of this command indicates that no user with a password set is configured.

The LOCAL user database is empty by default.

Assess the HTTPS Management Authentication Configuration

Use the show running-config aaa authentication | include http CLI command to determine whether HTTPS management authentication points to a valid AAA server. The following example shows the output of the show running-config aaa authentication | include http command on a device that points to AAA server ISE for HTTPS management authentication:

asa# show running-config aaa authentication | include http
aaa authentication http console ISE

The following example shows the output of this command on a device that points to the LOCAL database:

asa# show running-config aaa authentication | include http
aaa authentication http console LOCAL

HTTPS management authentication is not configured by default.

Notes:

  • When running Cisco ASA Software, the aaa authentication http console command can also list both a AAA server and LOCAL. In this case, only the LOCAL database is used if the configured AAA server is not reachable.
  • When running Cisco FTD Software, the aaa authentication http console aaa_server command can be pushed using FlexConfig only, and the LOCAL option is not supported.

Assess the IKEv2 VPN Configuration

Use the show running-config crypto ikev2 | include crypto ikev2 enable CLI command to determine whether IKEv2 VPN is enabled on any interface. Non-empty output of this command indicates that IKEv2 VPN is enabled on the listed interface(s). Empty output indicates that IKEv2 VPN is not enabled on any interface.

The following example shows the output of the show running-config crypto ikev2 | include crypto ikev2 enable command on a device that has IKEv2 VPN enabled on the outside interface:

asa# show running-config crypto ikev2 | include crypto ikev2 enable
crypto ikev2 enable outside

IKEv2 VPN is not enabled on any interface by default.

Note: The crypto ikev2 enable command may specify an additional client-services option that may include an optional port parameter. These options do not affect the device status in regard to this vulnerability.

Assess the SSL VPN Configuration

Use the show running-config webvpn | include ^ enable CLI command to determine whether SSL VPN is enabled on any interface. Non-empty output of this command indicates that SSL VPN is enabled on the listed interface(s). Empty output indicates that SSL VPN is not enabled on any interface.

The following example shows the output of the show running-config webvpn | include ^ enable command on a device that has SSL VPN enabled on the outside interface:

asa# show running-config webvpn | include ^ enable
enable outside

SSL VPN is not enabled on any interface by default.

Assess the Clientless SSL VPN Protocol Configuration

Use the show running-config all group-policy DfltGrpPolicy | include vpn-tunnel-protocol CLI command to determine if the clientless SSL VPN protocol is allowed in the DfltGrpPolicy. If the output of this command includes ssl-clientless, as shown in the following example, then the clientless SSL VPN protocol is allowed:

asa# show running-config all group-policy DfltGrpPolicy | include vpn-tunnel-protocol
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless

The clientless SSL VPN protocol is allowed in the DfltGrpPolicy by default.

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • Firepower Management Center (FMC) Software
  • FXOS Software
  • IOS Software
  • IOS XE Software
  • IOS XR Software
  • NX-OS Software

Related news

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is

Akira ransomware continues to evolve

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion

The threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands. “As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their

Ransomware review: October 2023

Categories: Threat Intelligence In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation. (Read more...) The post Ransomware review: October 2023 appeared first on Malwarebytes Labs.

Apple, Microsoft, and Google Just Fixed Multiple Zero-Day Flaws

Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907