Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Networking giant Cisco has acknowledged a zero-day exploit affecting two of its most popular security appliances—and there’s no patch, even as attackers exploit it in the wild.
The bugs hide in software for Cisco Adaptive Security Appliance (ASA), a network security device that provides firewalls as well as antivirus and attack protection, and Firepower Threat Defense (FTD), its successor device. Ars Technica reported that in late August, Rapid7 researchers posted that their managed detection and response teams had noticed increased attacks on Cisco devices dating to March 2023, stating the incidents generally involved credential stuffing or brute force attacks on appliances where users lacked multi-factor authentication.
“Rapid7 identified at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023,” the researchers wrote. “Our team traced the malicious activity back to an ASA appliance servicing SSL VPNs for remote users. ASA appliance patches varied across compromised appliances—Rapid7 did not identify any particular version that was unusually susceptible to exploitation.”
In a September 6 advisory, Cisco acknowledged ASA and FTD software contained “improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features.” This offers attackers two routes, Cisco wrote:
- “Identify[ing] valid credentials that could then be used to establish an unauthorized remote access VPN session.”
- Establish[ing] a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).”
Cisco considers the bug, classified CVE-2023-20269, to be of Medium severity.
The Rapid7 findings indicated that many of the attacks on Cisco devices involved mass login attempts, with the attackers either trying to brute force weak credentials or identifying users with default credentials. (A table of usernames frequently attempted during the attacks included classics like “admin” and “guest.”) Other cases may have involved purchased credentials.
After gaining access, the attackers “performed further lateral movement and binary executions across other systems within target environments to increase the scope of compromise,” according to Rapid7.
There is currently no patch, per Ars Technica, although the Cisco advisory lists “indicators of compromise” and suggests workarounds include enabling multi-factor authentication and enforcing strong credentials. It also contains guidance on various ways to restrict the ability of local users and default profiles to establish and maintain remote access VPN sessions.
Reached for comment via email, Cisco spokesperson Carro Halpin directed IT Brew to the advisory.
“We strongly recommend customers apply one of the suggested workarounds, review the recommendations shared in the Advisory and upgrade to a fixed software release once available,” Halpin wrote.