Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16325
Views
1
Helpful
4
Replies

CVE-ID:- -2023-20269 to mitigate this vulnerability

Jay Kumar
Cisco Employee
Cisco Employee

‎09-16-2023 01:25 AM

As per the CVE, the detailed information is available in the advisory : Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC;

 

I request you to kindly go through the same to understand Cisco's recommendation.

 

To highlight:

 

  *   CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Défense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.

  *   The medium severity zero-day vulnerability impacts the VPN feature of Cisco ASA and Cisco FTD, allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.

  *   The CVE-2023-20269 flaw is located within the web services interface of the Cisco ASA and Cisco FTD devices, specifically the functions that deal with authentication, authorization, and accounting (AAA) functions.

  *   The flaw is caused by improperly separating the AAA functions and other software features. This leads to scenarios where an attacker can send authentication requests to the web services interface to impact or compromise authorization components.

  *   Since these requests have no limitation, the attacker can brute force credentials using countless username and password combinations without being rate-limited or blocked for abuse.

 

For the brute force attacks to work, the Cisco appliance must meet the following conditions:

 

  *   At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.

  *   SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.

 

To establish this clientless SSL VPN session, the targeted device needs to meet these conditions:

 

 

  *   The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.

  *   The device is running Cisco ASA Software Release 9.16 or earlier.

  *   SSL VPN is enabled on at least one interface.

  *   The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.

 

Mitigating the flaw

 

  *   Cisco will release a security update to address CVE-2023-20269, but until fixes are made available, system administrators are recommended to take the following actions:

 

 

  *   Use DAP (Dynamic Access Policies) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.

  *   Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero and ensuring that all VPN session profiles point to a custom policy.

  *   Implement LOCAL user database restrictions by locking specific users to a single profile with the 'group-lock' option and prevent VPN setups by setting 'vpn-simultaneous-logins' to zero.

  *   Cisco also recommends securing Default Remote Access VPN profiles by pointing all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to catch potential attack incidents early.

 

Finally, it is crucial to note that multi-factor authentication (MFA) mitigates the risk, as even successfully brute-forcing account credentials wouldn't be enough to hijack MFA-secured accounts and use them to establish VPN connections.

 

Reference:

 

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC;

 

Cisco warns of VPN zero-day exploited by ransomware gangs (bleepingcomputer.com)https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/;

1 person had this problem
Labels:
0 Helpful
4 Replies 4

tvotna
Spotlight
Spotlight

‎09-17-2023 09:06 AM

Hi @Jay Kumar . The security advisory lists conditions for brute force attack as follows:

The brute force attack can be executed if both of the following conditions are met:

  • At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.
  • SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.

And then it says:

While there is no method to completely prevent a brute force attack attempt, you can implement the following recommendations to limit the impact of brute force attacks and to protect against unauthorized Clientless SSL VPN session establishment using the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups.

So, I have couple of very simple questions about the brute force attack vulnerability specifically and hope you can answer them.

1. Suppose only SSL VPN is enabled on the outside interface with "webvpn" / "enable outside" ASA CLI and IKEv2 is not enabled. Also, suppose that "keepout" is configured to completely disable clientless WebVPN portal. This is a global setting which in my understanding should apply to all tunnel-groups, including DefaultADMINGroup and DefaultL2LGroup. The password prompt to login to clientless WebVPN portal will never appear when "keepout" is configured. QUESTION: can brute force attack still be successful in this case?

webvpn
 enable outside
 keepout " "

2. Can you shed some light on how IKEv2 protocol can be used to exploit the brute force attack vulnerability? For example, DefaultL2LGroup doesn't have remote-authentication configured by default, which in my understanding means that Cisco Aggregate Authentication protocol won't start for this tunnel-group and hence user authentication won't start whatsoever.

tunnel-group DefaultL2LGroup ipsec-attributes
 no ikev1 pre-shared-key
 peer-id-validate req
 no chain
 no ikev1 trust-point
 isakmp keepalive threshold 10 retry 2
 no ikev2 remote-authentication
 no ikev2 local-authentication

 

0 Helpful

robinjim
Cisco Employee
Cisco Employee
In response to tvotna

‎10-12-2023 07:54 AM

Hi,

Hope you find useful the following answers:

1. No, a Brute force attack wont be succesfull if you enable the "keepout" option because it wont be displayed any login page portal to the attacker

2. There no Vulnerability the with IKEv2 feature, but AnyConnect can be configured to establish a VPN with IKEv2 instead of SSL which is the default protocol used, and AnyConnect use AAA as default authentication method unless administrator change it.

If webvpn section isn't configured with "Tunnel-group-list enable" feature, all remote-access VPN Session will land between DefaultRAGroup (IKEv2) and DefaultWEBVPNgroup (Clientless and AnyConnect SSL), the DefaultL2Lgroup is used for LAN-to-LAN Tunnel only.

0 Helpful

#TCN
Level 1
Level 1

‎09-20-2023 02:10 AM

Do we have any timeframes around the fixed code release date for the 9.14.x train? 

adity
Level 1
Level 1

‎04-24-2024 05:24 AM

Is this bug fixed????

we have conducted the VAPT and we also receive the same vulnerability on our firewall.

0 Helpful
Customers Also Viewed These Support Documents