Cisco Security Advisory
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
-
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following:
- Identify valid credentials that could then be used to establish an unauthorized remote access VPN session.
- Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).
Notes:
- Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured.
- This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured.
Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
-
Vulnerable Products
At the time of publication, this vulnerability affected Cisco devices if they were running a vulnerable release of Cisco ASA or FTD Software. The exact conditions to determine whether a device is vulnerable depend on the desired outcome, as detailed below.
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Brute Force Attack
The brute force attack can be executed if both of the following conditions are met:
- At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.
- SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.
A successful brute force attack would allow an attacker to establish an unauthorized remote access VPN session.
Unauthorized Clientless SSL VPN Session Establishment
To successfully establish a clientless SSL VPN session, all of the following conditions need to be met:
- The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.
- The device is running Cisco ASA Software Release 9.16 or earlier.
- SSL VPN is enabled on at least one interface.
- The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.
Note: When running Cisco FTD Software, this attack cannot succeed as Cisco FTD Software does not support the clientless SSL VPN feature.
Determine the Device Configuration
To determine the configuration settings for the LOCAL database, HTTPS management authentication, IKEv2 VPN, SSL VPN, and clientless SSL VPN protocol on a device, use the following instructions.
Assess the LOCAL User Database
Use the show running-config username | include password CLI command to determine whether a local user with a password configured is present in the LOCAL database. Non-empty output of this command indicates that at least one user with a password is configured. Empty output of this command indicates that no user with a password set is configured.
The LOCAL user database is empty by default.
Assess the HTTPS Management Authentication Configuration
Use the show running-config aaa authentication | include http CLI command to determine whether HTTPS management authentication points to a valid AAA server. The following example shows the output of the show running-config aaa authentication | include http command on a device that points to AAA server ISE for HTTPS management authentication:
asa# show running-config aaa authentication | include http
aaa authentication http console ISEThe following example shows the output of this command on a device that points to the LOCAL database:
asa# show running-config aaa authentication | include http
aaa authentication http console LOCALHTTPS management authentication is not configured by default.
Notes:
- When running Cisco ASA Software, the aaa authentication http console command can also list both a AAA server and LOCAL. In this case, only the LOCAL database is used if the configured AAA server is not reachable.
- When running Cisco FTD Software, the aaa authentication http console aaa_server command can be pushed using FlexConfig only, and the LOCAL option is supported only in releases 7.0 and later.
Assess the IKEv2 VPN Configuration
Use the show running-config crypto ikev2 | include crypto ikev2 enable CLI command to determine whether IKEv2 VPN is enabled on any interface. Non-empty output of this command indicates that IKEv2 VPN is enabled on the listed interface(s). Empty output indicates that IKEv2 VPN is not enabled on any interface.
The following example shows the output of the show running-config crypto ikev2 | include crypto ikev2 enable command on a device that has IKEv2 VPN enabled on the outside interface:
asa# show running-config crypto ikev2 | include crypto ikev2 enable
crypto ikev2 enable outsideIKEv2 VPN is not enabled on any interface by default.
Note: The crypto ikev2 enable command may specify an additional client-services option that may include an optional port parameter. These options do not affect the device status in regard to this vulnerability.
Assess the SSL VPN Configuration
Use the show running-config webvpn | include ^ enable CLI command to determine whether SSL VPN is enabled on any interface. Non-empty output of this command indicates that SSL VPN is enabled on the listed interface(s). Empty output indicates that SSL VPN is not enabled on any interface.
The following example shows the output of the show running-config webvpn | include ^ enable command on a device that has SSL VPN enabled on the outside interface:
asa# show running-config webvpn | include ^ enable
enable outsideSSL VPN is not enabled on any interface by default.
Assess the Clientless SSL VPN Protocol Configuration
Use the show running-config all group-policy DfltGrpPolicy | include vpn-tunnel-protocol CLI command to determine whether the clientless SSL VPN protocol is allowed in the DfltGrpPolicy. If the output of this command includes ssl-clientless, as shown in the following example, then the clientless SSL VPN protocol is allowed:
asa# show running-config all group-policy DfltGrpPolicy | include vpn-tunnel-protocol
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientlessThe clientless SSL VPN protocol is allowed in the DfltGrpPolicy by default.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Firepower Management Center (FMC) Software
- FXOS Software
- IOS Software
- IOS XE Software
- IOS XR Software
- NX-OS Software
-
Indicators of compromise for this vulnerability are as follows.
Brute Force Attack
Seeing a high rate of syslog message %ASA-6-113015, which reports a failed authentication attempt, can indicate a brute force or password spraying attack. During a brute force attack, a high rate of these messages is typically seen for the same user and from the same IP address. During a password spraying attack, a high rate of these messages is typically seen for a set of users from the same IP address.
The following example shows that user admin failed to authenticate successfully, with the authentication request coming from IP address 172.16.17.18:
%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = 172.16.17.18
Unauthorized Clientless SSL VPN Session Establishment
Seeing a session establishment attempt (syslog message %ASA-7-734003) or termination event (syslog message %ASA-4-113019) that reports one of the following unexpected connection profiles/tunnel groups can indicate successful or attempted establishment of an unauthorized clientless SSL VPN session:
- DefaultADMINGroup
- DefaultL2LGroup
The following example shows a session establishment attempt in which user admin successfully authenticated using connection profile/tunnel group DefaultADMINGroup:
%ASA-7-734003: DAP: User admin, Addr 172.16.17.18: Session Attribute aaa.cisco.tunnelgroup = DefaultADMINGroup
The following example shows that a session created by user admin using connection profile/tunnel group DefaultADMINGroup has been terminated:
%ASA-4-113019: Group = DefaultADMINGroup, Username = admin, IP = 172.16.17.18, Session disconnected. Session Type: SSL, Duration: 0h:00m:11s, Bytes xmt: 390131, Bytes rcv: 34363, Reason: User Requested
-
While there is no method to completely prevent a brute force attack attempt, you can implement the following recommendations to limit the impact of brute force attacks and to protect against unauthorized Clientless SSL VPN session establishment using the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups.
Brute Force Attacks
Brute Force Attack Against the LOCAL User Database
To counter brute force attacks against the LOCAL user database, limit the number of consecutive failed login attempts that the ASA allows for a given user in the LOCAL user database using the aaa local authentication attempts max-fail number command in global configuration mode.
After a user makes the configured number of consecutive login attempts with a wrong password, the user is locked out and cannot log in successfully until the administrator either manually unlocks the user using the clear aaa local user lockout username username command or (when running Cisco ASA Software releases 9.17 and later) until 10 minutes pass. Locking or unlocking a username results in a syslog message as shown in the following example:
%ASA-6-113006: User 'test' locked out on exceeding '5' successive failed authentication attempts
%ASA-6-113007: User 'test' unlocked by 'enable_15'Note: In Cisco ASA Software releases 9.16 and earlier, this feature does not apply to users with privilege level 15.
For further information on this feature, refer to the Cisco Secure Firewall ASA Series Command Reference.
Brute Force Attacks Against an External User Database
To counter brute force attacks against an external user database, limit the number of consecutive failed login attempts per user in the external user database.
If the external user database is Cisco Identity Services Engine (ISE), this can be configured under Administration > Identity Management > Settings > User Authentication Settings > Lock/Suspend Account with Incorrect Login Attempts.
Note: Brute force attacks against an external user database are possible only if either HTTPS management authentication or at least one connection profile/tunnel group points to an external user database.
Unauthorized Clientless SSL VPN Session Establishment
Dynamic Access Policies
Administrators can configure a dynamic access policy (DAP) to terminate VPN tunnel establishment when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used. For more information on how to configure DAP, see the Configure Dynamic Access Policies section of the Cisco ASA Series VPN ASDM Configuration Guide.
Deny Remote Access VPN Using the Default Group Policy (DfltGrpPolicy)
When the DfltGrpPolicy is not expected to be used for remote access VPN policy assignment, administrators can prevent remote access VPN session establishment using the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups by setting the vpn-simultaneous-logins option for the DfltGrpPolicy to zero, as shown in the following example:
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0Notes:
- Connection profiles/tunnel groups point to the DfltGrpPolicy by default. Before applying this workaround, administrators must confirm that all connection profiles/tunnel groups that are expected to be used for remote access VPN session establishment in their environment point to a custom group policy by using the default-group-policy option in tunnel-group name general-attributes configuration mode. If the default-group-policy option is not visible in the running configuration for a given connection profile/tunnel group, that connection profile/tunnel group uses the DfltGrpPolicy.
- By default, custom group policies inherit the vpn-simultaneous-logins setting from the DfltGrpPolicy. Before applying this workaround, administrators must ensure that all group policies that are expected to be used with remote access VPN sessions explicitly configure the vpn-simultaneous-logins option to a value larger than zero.
Restrict Users in the LOCAL User Database
The following two workarounds apply to clientless SSL VPN session establishment that is using the DefaultADMINGroup only when HTTPS management authentication points to the LOCAL user database. They always apply to clientless SSL VPN session establishment that is using the DefaultL2LGroup.
Lock Users to a Specific Connection Profile/Tunnel Group Only
When users in the LOCAL user database are expected to be able to establish remote access VPN tunnels, administrators can use the group-lock option in username attributes configuration mode to configure a lock so that users can only connect to a specific connection profile/tunnel group. The following example shows how to lock user lockeduser to connection profile/tunnel group MyCorporateProfile:
username lockeduser attributes
group-lock value MyCorporateProfilePrevent Users from Establishing Remote Access VPN Sessions
When users in the LOCAL user database are not expected to be able to establish remote access VPN tunnels at all, administrators can prevent these users from successfully establishing a remote access VPN tunnel by setting the vpn-simultaneous-logins option in username attributes configuration mode to zero, as shown in the following example:
username novpn attributes
vpn-simultaneous-logins 0While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
-
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco ASA, FMC, and FTD Software
To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).
To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to search for vulnerabilities that affect a specific software release. To use the form, follow these steps:
- Choose which advisories the tool will search-all advisories, only advisories with a Critical or High Security Impact Rating (SIR), or only this advisory.
- Choose the appropriate software.
- Choose the appropriate platform.
- Enter a release number-for example, 9.16.2.11 for Cisco ASA Software or 6.6.7 for Cisco FTD Software.
- Click Check.
For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide.
Cisco FTD Software Hot Fixes
Cisco has released the following hot fixes to address this vulnerability. Customers can download the hot fixes from the Software Center on Cisco.com.
Cisco FTD Software Release Hot Fix Name 7.0.6 Cisco_FTD_Hotfix_EI-7.0.6.1-3.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_EI-7.0.6.1-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_EI-7.0.6.1-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_EI-7.0.6.1-3.sh.REL.tar7.2.5 Cisco_FTD_Hotfix_BJ-7.2.5.1-1.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_BJ-7.2.5.1-1.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_BJ-7.2.5.1-1.sh.REL.tar
Cisco_FTD_SSP_FP3K_Hotfix_BJ-7.2.5.1-1.sh.REL.tar
Cisco_FTD_SSP_Hotfix_BJ-7.2.5.1-1.sh.REL.tarFor details about downloading and installing these hot fixes, see Cisco Firepower Hot Fix Release Notes.
Additional Resources
For help determining the best Cisco ASA, FMC, or FTD Software release, see the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.
Cisco ASA Compatibility
Cisco Secure Firewall ASA Upgrade Guide
Cisco Secure Firewall Threat Defense Compatibility Guide
-
Cisco makes the following recommendations in regard to this vulnerability:
Secure Default Remote Access VPN Profiles
When the default remote access VPN connection profiles/tunnel groups DefaultRAGroup and DefaultWEBVPNGroup are not used, Cisco recommends preventing authentication attempts and remote access VPN session establishment using these default connection profiles/tunnel groups by pointing them to a sinkhole AAA server. To do this, use the following steps:
- Configure a dummy Lightweight Directory Access Protocol (LDAP) server, as shown in the following example:
aaa-server AAA_Sinkhole protocol ldap
- Point DefaultRAGroup, DefaultWEBVPNGroup, or both to this dummy LDAP server, as shown for the DefaultWEBVPNGroup in the following example:
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group AAA_Sinkhole
Enable Logging
Logging is a crucial part of cybersecurity that involves recording events happening within a system. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method. Cisco recommends enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices.
For information on how to configure logging, see the following platform-specific guides.
Cisco ASA Software
- Use Guide to Secure ASA Firewall
- Logging chapter of the Cisco Secure Firewall ASA Series General Operations CLI Configuration Guide
Cisco FTD Software
- Configure Logging on FTD via FMC
- Configure Syslog section in the Platform Settings chapter of the Cisco Secure Firewall Management Center Device Configuration Guide
- Configure and Verify Syslog in Firepower Device Manager
- Configuring System Logging Settings section in the System Settings chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager
- Configure a dummy Lightweight Directory Access Protocol (LDAP) server, as shown in the following example:
-
In August 2023, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability once available and apply one of the suggested workarounds in the meantime.
For information on observed attempted exploitation of this vulnerability, see the Cisco blog post on Akira Ransomware Targeting VPNs without Multi-Factor Authentication. As explained in this blog post, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection, by enabling MFA in VPN implementations.
-
This vulnerability was found during the resolution of a Cisco TAC support case.
Cisco would like to thank Rapid7 for reporting attempted exploitation of this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.4 Updated the advisory status to Final. Updated the summary to say that fixed software is available. Clarified the implications of using vpn-simultaneous-logins 0 in the DfltGrpPolicy. Added Cisco FTD Software hot fixes. Header, Summary, Workarounds, Fixed Releases Final 2023-OCT-11 1.3 Updated the Software Checker link. Fixed Software Interim 2023-SEP-29 1.2 Clarified which workarounds apply to which attack scenario. Workarounds Interim 2023-SEP-27 1.1 Updated the definition of brute force attack. Clarified information about support for the LOCAL user database in Cisco FTD Software releases 7.0 and later. Added workarounds against brute force attacks. Vulnerable Products and Workarounds Interim 2023-SEP-11 1.0 Initial public release. - Interim 2023-SEP-06
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.