CISA has added a vulnerability in Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software to its Known Exploited Vulnerabilities Catalog. The addition of the vulnerability to CISA KEV is the acknowledgment of active exploitation of the vulnerability. CISA has requested users to patch the vulnerability before October 4, 2023.
Ransomware groups are exploiting the vulnerability to gain initial access to corporate networks.
The vulnerability allows an unauthenticated, remote attacker to conduct a brute force attack to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices in various form factors. ASA Software also integrates with other critical security technologies to deliver comprehensive solutions that meet continuously evolving security needs.
Vulnerability Details
The vulnerability originates from the improper authentication, authorization, and accounting (AAA) separation between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker may exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or establishing a clientless SSL VPN session using valid credentials.
On successful exploitation, an attacker may exploit this vulnerability to achieve one or both of the following:
- Identifying valid credentials and using them to establish an unauthorized remote access VPN session.
- Establishing a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).
Note:
- Establishing a client-based remote access VPN tunnel is impossible as these default connection profiles/tunnel groups do not have an IP address pool configured.
- This vulnerability does not allow an attacker to bypass authentication. An attacker must have valid credentials to establish a remote access VPN session successfully. An attacker would also require a valid second factor in the case of multi-factor authentication.
Prerequisites for the exploitation
Brute Force Attack
Performing a brute force attack is possible if both of the following conditions are true:
- In the LOCAL database, at least one user is set up with a password or HTTPS management authentication points to an authorized AAA server.
- At least one interface has SSL VPN configured, or at least one interface has IKEv2 VPN enabled.
A successful brute force attack would allow an attacker to establish an unauthorized remote access VPN session.
Unauthorized Clientless SSL VPN Session Establishment
All the following prerequisites must be satisfied to establish a clientless SSL VPN session effectively:
- In the LOCAL database or the AAA server used for HTTPS management authentication, the attacker has valid credentials for a user. A brute force attack could be used to obtain these credentials.
- The device is running Cisco ASA Software Release 9.16 or earlier.
- At least one of the interfaces has SSL VPN enabled.
- The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.
Note: The attack cannot be successful on the Cisco FTD software as it does not support the clientless SSL VPN feature.
Indicators of Compromise
Brute Force Attack
A syslog message %ASA-6-113015 reports a failed authentication attempt. A high rate of these syslog messages indicates a brute force or password spraying attack.
During a brute force attack, these messages are often observed for the same user and from the same IP address. A high frequency of these messages is generally observed for users from the same IP address during a password spraying attack.
Unauthorized Clientless SSL VPN Session Establishment
A successful or attempted establishment of an unauthorized clientless SSL VPN session can be determined by the appearance of a session setup attempt (syslog message %ASA-7-734003) or termination event (syslog message %ASA-4-113019) that reports one of the following unusual connection profiles/tunnel groups:
- DefaultADMINGroup
- DefaultL2LGroup
Affected Versions
The vulnerability affects the Cisco Adaptive Security Appliance Software version prior to 9.17.
Mitigation
Customers must upgrade to the Cisco Adaptive Security Appliance Software version 9.17 to patch the vulnerability.
Customers can refer to the Cisco Security Advisory (cisco-sa-asaftd-ravpn-auth-8LyfCkeC) for information about the vulnerability.
Qualys Detection
Qualys customers can scan their devices with QID 317353 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.