The networking giant Cisco has issued an interim workaround to address a zero-day vulnerability exploited by the Akira and LockBit ransomware operations while it’s working on a full patch.
Tracked as CVE-2023-20269, the vulnerability exists in the remote access VPN feature of Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software stacks. The issue stems from the improper separation of authentication, authorization, and accounting between the remote VPN feature, the HTTPS management, and site-to-site VPN features. The flaw can be used by a remote hacker to perform a brute-force attack and establish a clientless SSL VPN session with an unauthorized user.
However, the vulnerability does not allow attackers to bypass authentication.
“To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured,” the company noted.
In August, cybersecurity firm Rapid7 reported it observed an increase in attacks targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023.
In some cases, threat actors conducted credential stuffing attacks that leveraged weak or default passwords, in others, performed targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users. In several incidents, the attackers deployed the Akira and LockBit ransomware onto the compromised systems.
The company said it identified at least 11 victims who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023.
In addition, Cisco released security fixes to address multiple vulnerabilities, including a high-risk flaw (CVE-2023-20238) in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform that could be exploited by a remote attacker to bypass the authentication process.
