Synopsis: Cisco has issued a warning about a zero-day vulnerability in the Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). This zero-day has been actively exploited by ransomware operations to access corporate networks.

This vulnerability affects the VPN feature of these devices, enabling unauthorized attackers to perform brute force attacks on existing accounts. Successful attacks can establish a clientless SSL VPN session within the victim’s network. Cisco confirmed the vulnerability used by ransomware gangs and provided interim workarounds, pending security updates.

Actions: 

  • Use DAP (Dynamic Access Policies) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup
  • Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero, and ensuring that all VPN session profiles point to a custom policy
  • Implement LOCAL user database restrictions by locking specific users to a single profile with the ‘group-lock’ option, and prevent VPN setups by setting ‘vpn-simultaneous-logins’ to zero
  • Secure a Default Remote Access VPN profile by pointing all non-default profiles to a sinkhole AAA server and enabling logging to catch potential attack incidents early
  • Enable the use of MFA to mitigate the risk, as even successfully brute-forcing account credentials wouldn’t be enough to hijack MFA-secured accounts

Associated Articles: 

Cisco warns of VPN zero-day exploited by ransomware gangs

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability

Email Team