8th September 2023
Cisco has released a Security Advisory for an unauthorised access vulnerability in the VPN feature of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD).
CVE-2023-20269 (CVSS 3.1: 5.0 [Medium]) is due to improper separation of authentication, authorisation, and accounting (AAA) between the VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following:
- Identify valid credentials that could then be used to establish an unauthorized remote access VPN session.
- Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).
Specific, non-default conditions have to be met for the vulnerability to exist. These conditions are detailed in the Cisco Security Advisory.
At the time of writing no security patches have been released for this vulnerability however workarounds are detailed in the Advisory.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Firepower Management Center (FMC) Software
- FXOS Software
- IOS Software
- IOS XE Software
- IOS XR Software
- NX-OS Software
Check the Cisco Security Advisory to confirm if your device not listed here is vulnerable.