- October 6, 2023: Search recommendation.
- October 5, 2023: Published.
The remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software has a vulnerability [CVE-2023-20269] due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN and the HTTPS management and site-to-site VPN features.
The vulnerability could be exploited by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured.
Successful exploit could allow the attacker to:
- Identify valid credentials (username and password combinations).
- Establish an unauthorized, clientless, remote access SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).
What To Do
Cisco has workarounds that address this vulnerability. See Cisco, “Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability”
Search for the following older vulnerabilities as a proxy to identify companies that may be exposed:
These vulnerabilities are tied to Cisco ASA, showing evidence that they have a version of Cisco ASA exposed to the Internet. We will continue our research efforts to deliver a more finely tuned scan to directly track this vulnerability.