Cisco fix the zero-day CVE-2023-20269 flaw in its VPN products

CVE-2023-20269

In an age where digital fortresses are as critical as their physical counterparts, the walls protecting our virtual worlds are under siege. Recent vulnerabilities found in the Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software are placing businesses in the crosshairs of the relatively new and nefarious Akira Ransomware group.

CVE-2023-20269

The CVE-2023-20269 bug lies within the remote access VPN feature of Cisco’s renowned ASA and FTD software. With a CVSS score of 5.0, it might seem like a middling threat. This flaw provides a dual-threat avenue:

  1. It allows unsolicited attackers to wage a brute-force assault to uncover valid username-password combos.
  2. Permits these attackers to set up a clientless SSL VPN session with an unauthorized user.

The root of this vulnerability? The trifling separation of authentication, authorization, and accounting (AAA). The result? A potential unauthorized entry into VPN sessions and a gold mine for hackers to extract valid credentials.

Emerging in March 2023, Akira Ransomware quickly evolved to target VPNs as its prime attack vector. This group doesn’t just aim to breach the corporate walls but dives deep into the sanctum, encrypting and extracting data with surgical precision.

For Akira, the modus operandi revolves around exploiting exposed applications or services, specifically in VPNs. By leveraging known vulnerabilities in VPN software and finding cracks in multi-factor authentication (MFA), this group secures a foothold into target networks. From there, it’s a race against time as they plunder LSASS (Local Security Authority Subsystem Service) dumps for credentials, paving their way deeper into the network.

Furthermore, this group doesn’t shy away from using off-the-shelf tools such as PCHunter64 or even crafting minidumps to gather intel or pivot within the network.

In August 2023, Cisco’s PSIRT team flagged attempts to exploit the CVE-2023-20269 vulnerability. Cisco’s advisory to its users is unequivocal – upgrade to a fixed software release as soon as it’s available. While the perfect fix is in the works, Cisco suggests implementing one of their recommended workarounds.