Cisco ASA and FTD Remote Access VPN Unauthorized Access Vulnerability

A vulnerability exists in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. It could allow an unauthenticated, remote attacker to perform a brute force attack to identify valid username and password combinations. Additionally, an authenticated, remote attacker could misuse this vulnerability to establish a clientless SSL VPN session with an unauthorized user. This issue arises from improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. Exploitation involves specifying a default connection profile or tunnel group while conducting a brute force attack or when using valid credentials to establish a clientless SSL VPN session. Successful exploitation could enable an attacker to identify valid credentials for unauthorized remote access VPN sessions or, in the case of Cisco ASA Software Release 9.16 or earlier, to establish an unauthorized clientless SSL VPN session.

Impact

Exploitation allows for unauthorized access via remote access VPN, with the potential to establish clientless SSL VPN sessions on affected Cisco ASA Software releases through 9.16.

Remediation

Cisco has released software updates to address this vulnerability. For instructions on upgrading Cisco ASA or FTD Software, refer to the Cisco ASA Upgrade Guide or the Cisco Firepower Management Center Upgrade Guide. Specific hot fixes for Cisco FTD Software are available for versions 7.0.6 and 7.2.5.