Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco’s line of network security devices introduced in May 2005. The Cisco ASA is a unified threat management device, combining several network security functions in one box. Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium businesses.
Cisco Firepower Threat Defense is an integrative software image combining CISCO ASA and Firepower feature into one hardware and software inclusive system. The Cisco Firepower NGIPS is a next generation intrusion prevention system.
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following:
Identify valid credentials that could then be used to establish an unauthorized remote access VPN session.
Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).
Vulnerability Category: Authentication & Session Management
A successful exploit could allow the attacker to achieve one or both of the following:
NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-09-14. On August 24, Cisco’s Product Security Incident Response Team (PSIRT) published a blog post noting that the Akira ransomware group and its affiliates have been targeting Cisco VPNs as far back as March 2023. Remediation should be a priority in any impacted environment(s).
Seeing a high rate of syslog message %ASA-6-113015, which reports a failed authentication attempt, can indicate a brute force or password spraying attack.
Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability currently. While there is no method to completely prevent a brute force attack attempt, you can implement some recommendations to limit the impact of brute force attacks, detailed at: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC#vp
NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-09-14. On August 24, Cisco’s Product Security Incident Response Team (PSIRT) published a blog post noting that the Akira ransomware group and its affiliates have been targeting Cisco VPNs as far back as March 2023. Remediation should be a priority in any impacted environment(s).
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
(The vendor has not advised of any alternative temporary mitigation or workarounds)
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)