Published: September 11, 2023
Overview
Cisco has released security fixes to address multiple security flaws in various Cisco devices, including a critical bug. The most severe of the issues is CVE-2023-20238 (CVSS score: 10.0). It’s described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. A high-severity flaw in the RADIUS message processing feature of Cisco Identity Services Engine (CVE-2023-20243, CVSS score: 8.6) could allow an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets. There is also an unpatched medium-severity flaw (CVE-2023-20269, CVSS score: 5.0) in Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software that the company said could allow an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
Impact
The impact of the vulnerabilities are as follows:
- CVE-2023-20238 (CVSS scores: 10) – This vulnerability is due to the method used to validate SSO tokens. An attacker could exploit this vulnerability by authenticating to the application with forged credentials. A successful exploit could allow the attacker to commit toll fraud or execute commands at the privilege level of the forged account.
- CVE-2023-20243 (CVSS scores: 8.6) – A successful exploit could allow the attacker to force the RADIUS process to unexpectedly restart, resulting in authentication or authorization timeouts and denying legitimate users access to the network or service.
- CVE-2023-20269 (CVSS scores: 5.3) – This vulnerability could permit an unauthenticated, remote attacker to easily conduct a brute-force attack to identify valid username and password combinations and then use the stolen credentials to establish an unauthorized remote access VPN session. There have been a surge in brute-force activities aimed at Cisco ASA SSL VPN appliances to deploy Akira and LockBit ransomware, indicating CVE-2023-20269 is being actively exploited in the wild to gain unauthorized access.
Applicable Versions
For CVE-2023-20238
| Affected Versions (BroadWorks Application Delivery Platform) | Fixed Version |
|---|---|
| 22.0 and earlier | 23.0.1075.ap385341 |
| 23.0 | 23.0.1075.ap385341 |
For CVE-2023-20243
| Affected Versions (Cisco Identity Service Engine) | Fixed Version |
|---|---|
| 3.1 | 3.1P7 |
| 3.2 | 3.2P3 |
For CVE-2023-20269
| Affected Versions (Cisco ASA Software) | Fixed Version |
|---|---|
| 9.16 and earlier | Yet to be released |
Mitigations and Workarounds
There are several mitigations and workarounds for some of these Cisco vulnerabilities:
- For CVE-2023-20238: There are currently no workarounds that address this vulnerability.
- For CVE-2023-20243: There are currently no workarounds. To mitigate this vulnerability, customers can turn off RADIUS accounting on the network access device (NAD) sending the crafted packets to the Cisco ISE PSN.
- For CVE-2023-20269: Administrators can configure a dynamic access policy (DAP) to terminate VPN tunnel establishment when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used. Strong passwords and two-factor authentication should be implemented for remote access VPN connections.
- Apply the patches issued by Cisco to resolve the vulnerability
- Monitoring network traffic for any signs of exploitation
It is important to note that while these mitigations and workarounds can reduce the risk of exploitation, they do not completely eliminate it. Therefore, it is highly recommended that users apply the patch issued by Cisco as soon as possible to prevent exploitation of the vulnerability.
Best Practices
To help customers determine their exposure to vulnerabilities in Cisco ASA, FMC, FTD, and FXOS Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory.
The exact conditions to determine whether a device is vulnerable depends on the desired outcome, so users should review each advisory carefully.
Additionally, users can check if they have applied the patch issued by Cisco to fix the vulnerability. It is also recommended to monitor network traffic for any signs of exploitation.
Users should continually review their security policies and ensure that they are following best practices for securing their network devices.
By following these best practices, users can reduce the risk of exploitation and help to prevent CVE-2023-20238, CVE-2023-20243 and CVE-2023-20269 from being exploited and minimize the impact if it is exploited.
Netsurion Detection and Response
Netsurion researchers are continuously monitoring the exploits of this vulnerability. Our security analysts will add the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion Threat Center, our threat intelligence platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect the exploitation of this vulnerability. Netsurion’s vulnerability management system will also detect the vulnerabilities (CVE-2023-20238, CVE-2023-20243 and CVE-2023-20269) for customers who have subscribed to Netsurion Vulnerability Management.
References:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-auth-bypass-kCggMWhX
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radius-dos-W7cNn7gt
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
- https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/
- https://thehackernews.com/2023/09/cisco-issues-urgent-fix-for.html
- https://www.securityweek.com/cisco-patches-critical-vulnerability-in-broadworks-platform/