CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
91.6%
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack. A successful exploit could allow the attacker to identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required including a valid second factor if multi-factor authentication (MFA) is configured.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(182523);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/04");
script_cve_id("CVE-2023-20269");
script_xref(name:"CISCO-BUG-ID", value:"CSCwh23100");
script_xref(name:"CISCO-BUG-ID", value:"CSCwh45108");
script_xref(name:"CISCO-SA", value:"cisco-sa-asaftd-ravpn-auth-8LyfCkeC");
script_xref(name:"IAVA", value:"2023-A-0460");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/10/04");
script_name(english:"Cisco Adaptive Security Appliance Software Remote Access VPN Unauthorized Access - Brute Force Attack (cisco-sa-asaftd-ravpn-auth-8LyfCkeC)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software could allow an
unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password
combinations. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA)
between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit
this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack. A
successful exploit could allow the attacker to identify valid credentials that could then be used to establish an unauthorized
remote access VPN session. Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection
profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an
attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required
including a valid second factor if multi-factor authentication (MFA) is configured.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e25914dd");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh23100");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh45108");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwh23100 and CSCwh45108");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20269");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/06");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/Cisco/ASA/model");
exit(0);
}
include('ccf.inc');
include('cisco_workarounds.inc');
var product_info = cisco::get_product_info(name:'Cisco Adaptive Security Appliance (ASA) Software');
var model = product_info['model'];
var vuln_versions = NULL;
# Cisco Firepower 1000, 2100, 4100, 9000 Series
if (model =~ "(FPR-?|Firepower)\s*(1[0-9]{3}|1K|21[0-9]{2}|2K|41[0-9]{2}|4K|9[0-9]{3}|9K)")
{
vuln_versions = make_list(
'9.8.1',
'9.8.1.5',
'9.8.1.7',
'9.8.2',
'9.8.2.8',
'9.8.2.14',
'9.8.2.15',
'9.8.2.17',
'9.8.2.20',
'9.8.2.24',
'9.8.2.26',
'9.8.2.28',
'9.8.2.33',
'9.8.2.35',
'9.8.2.38',
'9.8.3',
'9.8.3.8',
'9.8.3.11',
'9.8.3.14',
'9.8.3.16',
'9.8.3.18',
'9.8.3.21',
'9.8.3.26',
'9.8.3.29',
'9.8.4',
'9.8.4.3',
'9.8.4.7',
'9.8.4.8',
'9.8.4.10',
'9.8.4.12',
'9.8.4.15',
'9.8.4.17',
'9.8.4.20',
'9.8.4.22',
'9.8.4.25',
'9.8.4.26',
'9.8.4.29',
'9.8.4.32',
'9.8.4.34',
'9.8.4.35',
'9.8.4.39',
'9.8.4.40',
'9.8.4.41',
'9.8.4.43',
'9.8.4.44',
'9.8.4.45',
'9.8.4.46',
'9.8.4.48',
'9.12.1',
'9.12.1.2',
'9.12.1.3',
'9.12.2',
'9.12.2.1',
'9.12.2.4',
'9.12.2.5',
'9.12.2.9',
'9.12.3',
'9.12.3.2',
'9.12.3.7',
'9.12.3.9',
'9.12.3.12',
'9.12.4',
'9.12.4.2',
'9.12.4.4',
'9.12.4.7',
'9.12.4.8',
'9.12.4.10',
'9.12.4.13',
'9.12.4.18',
'9.12.4.24',
'9.12.4.26',
'9.12.4.29',
'9.12.4.30',
'9.12.4.35',
'9.12.4.37',
'9.12.4.38',
'9.12.4.39',
'9.12.4.40',
'9.12.4.41',
'9.12.4.47',
'9.12.4.48',
'9.12.4.50',
'9.12.4.52',
'9.12.4.54',
'9.12.4.55',
'9.12.4.56',
'9.12.4.58',
'9.14.1',
'9.14.1.10',
'9.14.1.15',
'9.14.1.19',
'9.14.1.30',
'9.14.2',
'9.14.2.4',
'9.14.2.8',
'9.14.2.13',
'9.14.2.15',
'9.14.3',
'9.14.3.1',
'9.14.3.9',
'9.14.3.11',
'9.14.3.13',
'9.14.3.15',
'9.14.3.18',
'9.14.4',
'9.14.4.6',
'9.14.4.7',
'9.14.4.12',
'9.14.4.13',
'9.14.4.14',
'9.14.4.15',
'9.14.4.17',
'9.14.4.22',
'9.14.4.23',
'9.15.1',
'9.15.1.1',
'9.15.1.7',
'9.15.1.10',
'9.15.1.15',
'9.15.1.16',
'9.15.1.17',
'9.15.1.21',
'9.16.1',
'9.16.1.28',
'9.16.2',
'9.16.2.3',
'9.16.2.7',
'9.16.2.11',
'9.16.2.13',
'9.16.2.14',
'9.16.3',
'9.16.3.3',
'9.16.3.14',
'9.16.3.15',
'9.16.3.19',
'9.16.3.23',
'9.16.4',
'9.16.4.9',
'9.16.4.14',
'9.16.4.18',
'9.16.4.19',
'9.16.4.27',
'9.16.4.38',
'9.17.1',
'9.17.1.7',
'9.17.1.9',
'9.17.1.10',
'9.17.1.11',
'9.17.1.13',
'9.17.1.15',
'9.17.1.20',
'9.17.1.30',
'9.18.1',
'9.18.1.3',
'9.18.2',
'9.18.2.5',
'9.18.2.7',
'9.18.2.8',
'9.18.3',
'9.18.3.39',
'9.18.3.46',
'9.18.3.53',
'9.18.3.55',
'9.19.1',
'9.19.1.5',
'9.19.1.9',
'9.19.1.12',
'9.19.1.18'
);
}
# Cisco ASA 5500-X Series Firewalls
else if (model =~ "ASA55[0-9]{2}-X")
{
vuln_versions = make_list(
'9.8.1',
'9.8.1.5',
'9.8.1.7',
'9.8.2',
'9.8.2.8',
'9.8.2.14',
'9.8.2.15',
'9.8.2.17',
'9.8.2.20',
'9.8.2.24',
'9.8.2.26',
'9.8.2.28',
'9.8.2.33',
'9.8.2.35',
'9.8.2.38',
'9.8.3',
'9.8.3.8',
'9.8.3.11',
'9.8.3.14',
'9.8.3.16',
'9.8.3.18',
'9.8.3.21',
'9.8.3.26',
'9.8.3.29',
'9.8.4',
'9.8.4.3',
'9.8.4.7',
'9.8.4.8',
'9.8.4.10',
'9.8.4.12',
'9.8.4.15',
'9.8.4.17',
'9.8.4.20',
'9.8.4.22',
'9.8.4.25',
'9.8.4.26',
'9.8.4.29',
'9.8.4.32',
'9.8.4.33',
'9.8.4.34',
'9.8.4.35',
'9.8.4.39',
'9.8.4.40',
'9.8.4.41',
'9.8.4.43',
'9.8.4.44',
'9.8.4.45',
'9.8.4.46',
'9.8.4.48',
'9.12.1',
'9.12.1.2',
'9.12.1.3',
'9.12.2',
'9.12.2.1',
'9.12.2.4',
'9.12.2.5',
'9.12.2.9',
'9.12.3',
'9.12.3.2',
'9.12.3.7',
'9.12.3.9',
'9.12.3.12',
'9.12.4',
'9.12.4.2',
'9.12.4.4',
'9.12.4.7',
'9.12.4.10',
'9.12.4.13',
'9.12.4.18',
'9.12.4.24',
'9.12.4.26',
'9.12.4.29',
'9.12.4.30',
'9.12.4.35',
'9.12.4.37',
'9.12.4.38',
'9.12.4.39',
'9.12.4.40',
'9.12.4.41',
'9.12.4.47',
'9.12.4.48',
'9.12.4.50',
'9.12.4.52',
'9.12.4.54',
'9.12.4.55',
'9.12.4.56',
'9.12.4.58',
'9.14.1',
'9.14.1.10',
'9.14.1.15',
'9.14.1.19',
'9.14.1.30',
'9.14.2',
'9.14.2.4',
'9.14.2.8',
'9.14.2.13',
'9.14.2.15',
'9.14.3',
'9.14.3.1',
'9.14.3.9',
'9.14.3.11',
'9.14.3.13',
'9.14.3.15',
'9.14.3.18',
'9.14.4',
'9.14.4.6',
'9.14.4.7',
'9.14.4.12',
'9.14.4.13',
'9.14.4.14',
'9.14.4.15',
'9.14.4.17',
'9.14.4.22',
'9.14.4.23',
'9.15.1',
'9.15.1.1',
'9.15.1.7',
'9.15.1.10',
'9.15.1.15',
'9.15.1.16',
'9.15.1.17',
'9.15.1.21',
'9.16.1',
'9.16.1.28',
'9.16.2',
'9.16.2.3',
'9.16.2.7',
'9.16.2.11',
'9.16.2.13',
'9.16.2.14',
'9.16.3',
'9.16.3.3',
'9.16.3.14',
'9.16.3.15',
'9.16.3.19',
'9.16.3.23',
'9.16.4',
'9.16.4.9',
'9.16.4.14',
'9.16.4.18',
'9.16.4.19',
'9.16.4.27',
'9.16.4.38'
);
}
# Cisco 3000 Series Industrial Security Appliances (ISA)
else if (model =~ "ISA3[0-9]{3}")
{
vuln_versions = make_list(
'9.8.1',
'9.8.1.5',
'9.8.1.7',
'9.8.2',
'9.8.2.8',
'9.8.2.14',
'9.8.2.15',
'9.8.2.17',
'9.8.2.20',
'9.8.2.24',
'9.8.2.26',
'9.8.2.28',
'9.8.2.33',
'9.8.2.35',
'9.8.2.38',
'9.8.3',
'9.8.3.8',
'9.8.3.11',
'9.8.3.14',
'9.8.3.16',
'9.8.3.18',
'9.8.3.21',
'9.8.3.26',
'9.8.3.29',
'9.8.4',
'9.8.4.3',
'9.8.4.7',
'9.8.4.8',
'9.8.4.10',
'9.8.4.12',
'9.8.4.15',
'9.8.4.17',
'9.8.4.20',
'9.8.4.22',
'9.8.4.25',
'9.8.4.26',
'9.8.4.29',
'9.8.4.32',
'9.8.4.33',
'9.8.4.34',
'9.8.4.35',
'9.8.4.39',
'9.8.4.40',
'9.8.4.41',
'9.8.4.43',
'9.8.4.44',
'9.8.4.45',
'9.8.4.46',
'9.8.4.48',
'9.12.1',
'9.12.1.2',
'9.12.1.3',
'9.12.2',
'9.12.2.1',
'9.12.2.4',
'9.12.2.5',
'9.12.2.9',
'9.12.3',
'9.12.3.2',
'9.12.3.7',
'9.12.3.9',
'9.12.3.12',
'9.12.4',
'9.12.4.2',
'9.12.4.4',
'9.12.4.7',
'9.12.4.10',
'9.12.4.13',
'9.12.4.18',
'9.12.4.24',
'9.12.4.26',
'9.12.4.29',
'9.12.4.30',
'9.12.4.35',
'9.12.4.37',
'9.12.4.38',
'9.12.4.39',
'9.12.4.40',
'9.12.4.41',
'9.12.4.47',
'9.12.4.48',
'9.12.4.50',
'9.12.4.52',
'9.12.4.54',
'9.12.4.55',
'9.12.4.56',
'9.12.4.58',
'9.14.1',
'9.14.1.10',
'9.14.1.15',
'9.14.1.19',
'9.14.1.30',
'9.14.2',
'9.14.2.4',
'9.14.2.8',
'9.14.2.13',
'9.14.2.15',
'9.14.3',
'9.14.3.1',
'9.14.3.9',
'9.14.3.11',
'9.14.3.13',
'9.14.3.15',
'9.14.3.18',
'9.14.4',
'9.14.4.6',
'9.14.4.7',
'9.14.4.12',
'9.14.4.13',
'9.14.4.14',
'9.14.4.15',
'9.14.4.17',
'9.14.4.22',
'9.14.4.23',
'9.15.1',
'9.15.1.1',
'9.15.1.7',
'9.15.1.10',
'9.15.1.15',
'9.15.1.16',
'9.15.1.17',
'9.15.1.21',
'9.16.1',
'9.16.1.28',
'9.16.2',
'9.16.2.3',
'9.16.2.7',
'9.16.2.11',
'9.16.2.13',
'9.16.2.14',
'9.16.3',
'9.16.3.3',
'9.16.3.14',
'9.16.3.15',
'9.16.3.19',
'9.16.3.23',
'9.16.4',
'9.16.4.9',
'9.16.4.14',
'9.16.4.18',
'9.16.4.19',
'9.16.4.27',
'9.16.4.38',
'9.17.1',
'9.17.1.7',
'9.17.1.9',
'9.17.1.10',
'9.17.1.11',
'9.17.1.13',
'9.17.1.15',
'9.17.1.20',
'9.17.1.30',
'9.18.1',
'9.18.1.3',
'9.18.2',
'9.18.2.5',
'9.18.2.7',
'9.18.2.8',
'9.18.3',
'9.18.3.39',
'9.18.3.46',
'9.18.3.53',
'9.18.3.55',
'9.19.1',
'9.19.1.5',
'9.19.1.9',
'9.19.1.12',
'9.19.1.18'
);
}
# Cisco Adaptive Security Virtual Appliance (ASAv)
else if (toupper(model) >< 'ASAV')
{
vuln_versions = make_list(
'9.8.1',
'9.8.1.5',
'9.8.1.7',
'9.8.2',
'9.8.2.8',
'9.8.2.14',
'9.8.2.15',
'9.8.2.17',
'9.8.2.20',
'9.8.2.24',
'9.8.2.26',
'9.8.2.28',
'9.8.2.33',
'9.8.2.35',
'9.8.2.38',
'9.8.3',
'9.8.3.8',
'9.8.3.11',
'9.8.3.14',
'9.8.3.16',
'9.8.3.18',
'9.8.3.21',
'9.8.3.26',
'9.8.3.29',
'9.8.4',
'9.8.4.3',
'9.8.4.7',
'9.8.4.8',
'9.8.4.10',
'9.8.4.12',
'9.8.4.15',
'9.8.4.17',
'9.8.4.20',
'9.8.4.22',
'9.8.4.25',
'9.8.4.26',
'9.8.4.29',
'9.8.4.32',
'9.8.4.34',
'9.8.4.35',
'9.8.4.39',
'9.8.4.40',
'9.8.4.41',
'9.8.4.43',
'9.8.4.44',
'9.8.4.45',
'9.8.4.46',
'9.8.4.48',
'9.12.1',
'9.12.1.2',
'9.12.1.3',
'9.12.2',
'9.12.2.1',
'9.12.2.4',
'9.12.2.5',
'9.12.2.9',
'9.12.3',
'9.12.3.2',
'9.12.3.7',
'9.12.3.9',
'9.12.3.12',
'9.12.4',
'9.12.4.2',
'9.12.4.4',
'9.12.4.7',
'9.12.4.10',
'9.12.4.13',
'9.12.4.18',
'9.12.4.24',
'9.12.4.26',
'9.12.4.29',
'9.12.4.30',
'9.12.4.35',
'9.12.4.37',
'9.12.4.38',
'9.12.4.39',
'9.12.4.40',
'9.12.4.41',
'9.12.4.47',
'9.12.4.48',
'9.12.4.50',
'9.12.4.52',
'9.12.4.54',
'9.12.4.55',
'9.12.4.56',
'9.12.4.58',
'9.14.1',
'9.14.1.6',
'9.14.1.10',
'9.14.1.15',
'9.14.1.19',
'9.14.1.30',
'9.14.2',
'9.14.2.4',
'9.14.2.8',
'9.14.2.13',
'9.14.2.15',
'9.14.3',
'9.14.3.1',
'9.14.3.9',
'9.14.3.11',
'9.14.3.13',
'9.14.3.15',
'9.14.3.18',
'9.14.4',
'9.14.4.6',
'9.14.4.7',
'9.14.4.12',
'9.14.4.13',
'9.14.4.14',
'9.14.4.15',
'9.14.4.17',
'9.14.4.22',
'9.14.4.23',
'9.15.1',
'9.15.1.1',
'9.15.1.7',
'9.15.1.10',
'9.15.1.15',
'9.15.1.16',
'9.15.1.17',
'9.15.1.21',
'9.16.1',
'9.16.1.28',
'9.16.2',
'9.16.2.3',
'9.16.2.7',
'9.16.2.11',
'9.16.2.13',
'9.16.2.14',
'9.16.3',
'9.16.3.3',
'9.16.3.14',
'9.16.3.15',
'9.16.3.19',
'9.16.3.23',
'9.16.4',
'9.16.4.9',
'9.16.4.14',
'9.16.4.18',
'9.16.4.19',
'9.16.4.27',
'9.16.4.38',
'9.17.1',
'9.17.1.7',
'9.17.1.9',
'9.17.1.10',
'9.17.1.11',
'9.17.1.13',
'9.17.1.15',
'9.17.1.20',
'9.17.1.30',
'9.18.1',
'9.18.1.3',
'9.18.2',
'9.18.2.5',
'9.18.2.7',
'9.18.2.8',
'9.18.3',
'9.18.3.39',
'9.18.3.46',
'9.18.3.53',
'9.18.3.55',
'9.19.1',
'9.19.1.5',
'9.19.1.9',
'9.19.1.12',
'9.19.1.18'
);
}
# Cisco Secure Firewall 3100 Series
else if (report_paranoia >= 2)
{
vuln_versions = make_list(
'9.17.1',
'9.17.1.9',
'9.17.1.10',
'9.17.1.11',
'9.17.1.13',
'9.17.1.15',
'9.17.1.20',
'9.17.1.30',
'9.18.1',
'9.18.1.3',
'9.18.2',
'9.18.2.5',
'9.18.2.7',
'9.18.2.8',
'9.18.3',
'9.18.3.39',
'9.18.3.46',
'9.18.3.53',
'9.18.3.55',
'9.19.1',
'9.19.1.5',
'9.19.1.9',
'9.19.1.12',
'9.19.1.18'
);
}
else audit(AUDIT_HOST_NOT, 'an affected model');
var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
# vuln config requirements:
# (local creds || http creds) && (sslvpn enabled || ikev2 enabled)
var cond1 = {
'workaround_params': [
WORKAROUND_CONFIG['local_user_with_password'],
WORKAROUND_CONFIG['aaa_authentication_http']
]
};
var cond2 = {
'workaround_params': [
WORKAROUND_CONFIG['ssl_vpn'],
WORKAROUND_CONFIG['ikev2_enabled']
]
};
if (get_kb_item('Host/local_checks_enabled'))
{
var res_cond1 = CISCO_WORKAROUNDS['generic_workaround'](cond1['workaround_params']);
var res_cond2 = CISCO_WORKAROUNDS['generic_workaround'](cond2['workaround_params']);
if (!res_cond1['flag'] || !res_cond2['flag'])
audit(AUDIT_OS_CONF_NOT_VULN, product_info['name'], product_info['version']);
}
var reporting = make_array(
'port' , 0,
'severity', SECURITY_HOLE,
'version' , product_info['version'],
'bug_id' , 'CSCwh23100, CSCwh45108',
'fix' , 'See vendor advisory',
'cmds' , make_list('show running-config')
);
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
vuln_versions:vuln_versions
);
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
91.6%