A Letter to Brocent Client
Dear Brocent Client,
We are writing to inform you about an important security vulnerability that has recently been identified. This vulnerability concerns the Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software, specifically related to Remote Access VPN.
This vulnerability allows an unauthenticated, remote attacker to establish a VPN session with an affected device, potentially leading to unauthorized access and further exploitation. If you are running Cisco ASA or FTD Software, you may be at risk.
Why is this important?
IT security is an essential aspect of our daily operations. Regular checks and updates can protect your systems from threats and avoid potential business disruption. This vulnerability highlights the need to maintain an active and ongoing IT security posture.
What can you do to workaround around this?
Brute Force Attack Against the LOCAL User Database:
To counter brute force attacks against the LOCAL user database, limit the number of consecutive failed login attempts that the ASA allows for a given user in the LOCAL user database using the aaa local authentication attempts max-fail number command in global configuration mode.
Brute Force Attacks Against an External User Database:
To counter brute force attacks against an external user database, limit the number of consecutive failed login attempts per user in the external user database.
If the external user database is Cisco Identity Services Engine (ISE), this can be configured under Administration > Identity Management > Settings > User Authentication Settings > Lock/Suspend Account with Incorrect Login Attempts.
Dynamic Access Policies:
Administrators can configure a dynamic access policy (DAP) to terminate VPN tunnel establishment when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used. For more information on how to configure DAP, see the Configure Dynamic Access Policies section of the Cisco ASA Series VPN ASDM Configuration Guide.
Deny Remote Access VPN Using the Default Group Policy (DfltGrpPolicy)
When the DfltGrpPolicy is not expected to be used for remote access VPN policy assignment, administrators can prevent remote access VPN session establishment using the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups by setting the VPN-simultaneous-logins option for the DfltGrpPolicy to zero
Regular checks:
Carry out regular security audits on your systems. This can help you identify any unusual activity or potential vulnerabilities before they can be exploited.
Education:
Make sure that you and your staff are aware of the potential threats and how to handle them. Regular training and updates on the latest threats can significantly reduce the risk of security breaches.
We urge you to take immediate action to mitigate the risk associated with this vulnerability. If you need any assistance in dealing with this issue or if you have any further questions, please feel free to reach out to our support team.
Thank you for your attention to this critical matter.