The remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software has a vulnerability [CVE-2023-20269] due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN and the HTTPS management and site-to-site VPN features.
The vulnerability could be exploited by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured.
Successful exploit could allow the attacker to:
- Identify valid credentials (username and password combinations).
- Establish an unauthorized, clientless, remote access SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).
Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability. Cisco has workarounds that address this vulnerability. See Cisco, “Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability”
See the resource center.