Cisco VPN in ASA and FTD unpatched vulnerability exploited in ransomware group attacks

Cisco has identified a critical zero-day vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, which has been actively exploited by the Akira ransomware group since August. The company initially discovered this vulnerability in the course of investigating Akira ransomware attacks where organizations fell victim due to the absence of multi-factor authentication on their Cisco VPNs.

The vulnerability, tracked as CVE-2023-20269 with an initial CVSS3 score 5, exists within the remote access VPN feature of both Cisco ASA and FTD. The issue can be exploited remotely primarily through brute force attacks.

To exploit this flaw during a brute force attack, an unauthenticated attacker must specify a default connection profile/tunnel group. This action allows the attacker to identify valid username-password pairs, making it possible to establish a clientless SSL VPN session with an unauthorized user.

It is important to note that this vulnerability cannot be used to establish a client-based remote access VPN tunnel or bypass authentication. To successfully execute a clientless SSL VPN session exploit, four conditions must be met:

• valid credentials,
• the use of Cisco ASA version 9.16 or earlier,
• SSL VPN enabled on at least one interface,
• permission for the clientless SSL VPN protocol.

Devices running Cisco FTD are susceptible to the brute force attack to identify valud user-password pairs, but are not susceptible to clienless VPN attack since FTD does not support clientless SSL VPN sessions.

Cisco still hasn't released a patch and is actively working on security updates to address this vulnerability in both Cisco ASA and FTD software. Cisco urgeds its customers to upgrade to a fixed software release once available and has provided interim workarounds to mitigate the risk.

In response to this threat, Cisco has shared a list of indicators of compromise (IoCs) to help organizations detect potential malicious activity and a set of mitigating measures, which need to be reviewed for applicability and applied by each organization team:

To address the risk of unauthorized Clientless SSL VPN sessions via the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups, consider these workarounds:

1. Dynamic Access Policies (DAP): Configure DAP to terminate VPN tunnels when DefaultADMINGroup or DefaultL2LGroup is used. Follow the Cisco ASA Series VPN ASDM Configuration Guide for setup.

2. Deny Remote Access VPN Using DfltGrpPolicy: If DfltGrpPolicy isn't meant for remote access, prevent it by setting vpn-simultaneous-logins to zero in group-policy configuration.

3. Restrict LOCAL User Database Users:

   • Lock Users to Specific Profile: Use group-lock in username attributes to restrict users to a specific profile/tunnel group.
   • Prevent Remote Access VPN: Set vpn-simultaneous-logins to zero in username attributes to block users from establishing remote access VPN tunnels.

These workarounds should be assessed for suitability and potential network impact in your specific environment before implementation.