back to article Ransomware fiends pounce on Cisco VPN brute-force zero-day flaw

Heads up: ransomware slingers are exploiting a Cisco zero-day weakness in some of its VPN products. The networking giant has issued an interim workaround to address the oversight as it works on a full patch. The medium-severity flaw, tracked as CVE-2023-20269, exists in the remote access VPN feature of Cisco's Adaptive …

  1. Mike 137 Silver badge

    "... running through all possible or likely username-password combinations"

    They never heard of authentication retry lockout then?

    If you apply retry restrictions properly, u/n-password authentication can be resistant to brute force attack without the need for multifactor. But I did say "apply" and "properly".

    1. Dimmer Silver badge

      Re: "... running through all possible or likely username-password combinations"

      And some kind of bofh notification on failed attempts.

      And - let’s use Active Directory to authenticate! It’s fun, it’s easy, it’s safe.

      All you have to do is get access to the AD and you and your friends can come right on in.

      Kidding aside, most of us have layers, but some don’t and need to be aware that there are no shortcuts for security.

    2. c203

      Re: "... running through all possible or likely username-password combinations"

      I'm sure they have. And have you never heard of denial-of-service attacks? If you allow lockout by actions of a remote unauthenticated attacker, you make it impossible to defend against DoS

      1. Anonymous Coward
        Anonymous Coward

        Re: "... running through all possible or likely username-password combinations"

        Exactly, the solution for this is to throttle where the attempts are coming from and then block for a period of time.

        1. c203

          Re: "... running through all possible or likely username-password combinations"

          A brilliant solution... if you're living in the 90's before botnets.

          Today an attacker can use a botnet to make each attempt come from a different address, while multiple legitimate users might appear to be at one address due to address translation

          And it also only works if the target is a rare, unpopular device. Otherwise an attacker can make one attempt a day - extremely hard to spot in normal traffic - against each of 10,000 different instances and sell the credentials as they are discovered.

          1. Anonymous Coward
            Anonymous Coward

            Re: "... running through all possible or likely username-password combinations"

            Erm, no.

            Works for botnets also.

            First, you restrict access to countries that you would legitimately be receiving connections from.

            You can then enable whitelisted (what the PC version of whitelist these days, allow list?) IP address / ranges that you know are legit sources and are not subject to throttling.

            Then you have 2 options, all allowed IP addresses outside of that are considered a single source for invalid attempts and are all throttled or are done individually. You now how a very reduced ip pool that could come from a botnet.

            This pool could then be reduce further, as we are talking about a cisco VPN / firewall here, and implement their IPS and block all known botnet IP addresses too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like