CVE-2023-20269: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A zero-day vulnerability (CVE-2023-20269) was discovered in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerability, disclosed on September 6, 2023, stems from improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features (Cisco Advisory).

The vulnerability allows two types of attacks: an unauthenticated remote attacker can conduct brute force attacks to identify valid username and password combinations, and an authenticated remote attacker can establish a clientless SSL VPN session with an unauthorized user. The vulnerability received a CVSS base score of 5.0 (Medium) from Cisco and 9.1 (Critical) from NVD. For successful exploitation, specific conditions must be met, including having at least one user configured with a password in the LOCAL database or HTTPS management authentication pointing to a valid AAA server, and SSL VPN or IKEv2 VPN enabled on at least one interface (NVD, Cisco Advisory).

A successful exploit could allow attackers to identify valid credentials that could be used to establish an unauthorized remote access VPN session, or establish a clientless SSL VPN session when running Cisco ASA Software Release 9.16 or earlier. The vulnerability has been actively exploited by ransomware groups including Akira and LockBit, particularly targeting systems without multi-factor authentication (Arctic Wolf, Tenable).

While Cisco has not yet released software updates that address this vulnerability, they have provided several workarounds. These include limiting the number of consecutive failed login attempts, implementing multi-factor authentication for all VPN accounts, and configuring dynamic access policies to terminate VPN tunnel establishment when default connection profiles are used. Organizations are strongly advised to enable MFA for all accounts to protect against brute force attacks and compromised credentials (Cisco Advisory, Arctic Wolf).