What the Issue Is?
The heart of this cybersecurity concern lies in CVE-2023-20269, a medium-severity vulnerability that impacts the remote access VPN features within Cisco’s ASA and FTD software. According to Cisco’s advisory, this flaw has the potential to allow attackers to conduct a brute force attack, attempting to identify valid username and password combinations. Alternatively, it could enable an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
To grasp the gravity of this issue, it’s essential to understand the root cause of the vulnerability. The problem arises from improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. This oversight provides an opportunity for attackers to specify a default connection profile/tunnel group while conducting a brute force attack or establishing a clientless SSL VPN session using valid credentials.
The vulnerability in question was disclosed in a Cisco advisory published on a fateful Wednesday. However, it wasn’t long before Cisco became aware of “attempted exploitation” of the flaw in the wild, and what’s more concerning is that this activity was attributed to the Akira ransomware gang. This revelation sent shockwaves through the cybersecurity community, emphasizing the urgency of addressing this issue promptly.