Plug these vulnerabilities in VMware, Cisco products

Share post:

Administrators of VMware and certain devices from Cisco Systems are being warned to install patches as soon as possible to close serious vulnerabilities.

Multiple vulnerabilities in VMware’s Aria Operations for Networks have been discovered, with patches issued earlier this week.  Meanwhile, researchers at Rapid7 this week issued a detailed report on the vulnerabilities in the physical and virtual versions of Cisco’s ASA SSL VPN appliances being targeted by those deploying the Akira ransomware. This was reported on last week in a Cyber Security Today podcast.

VMware said the most serious problem (CVE-2023-34039) in Aria Operations for Networks is that it contains an authentication bypass vulnerability because of a lack of unique cryptographic key generation. A malicious actor with network access to the application could bypass SSH authentication to gain access to the Aria Operations for Networks interface. It gives the hole a CVSSv3 base score of 9.8.

The second vulnerability (CVE-2023-20890), rated at 7.2, is an arbitrary file write bug. An authenticated malicious actor with administrative access to Aria Operations for Networks can write files to arbitrary locations, resulting in remote code execution.

Rapid7 said its researchers detected increased attempts at getting into Cisco ASA SSL VPN appliances going back to at least March 2023. In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords, the report says. In others, the activity appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users in a group. Several incidents ended in ransomware deployment by the Akira and LockBit groups.

Rapid7 identified at least 11 of its customers who experienced Cisco ASA-related intrusions between March 30 and August 24.

Tip for infosec pros and security awareness trainers: In most of the incidents Rapid7 investigated, threat actors attempted to log into ASA appliances with a common set of usernames, including:

  • admin
  • adminadmin
  • backupadmin
  • kali
  • cisco
  • guest
  • accounting
  • developer
  • ftp user
  • training
  • printer
  • echo
  • security
  • inspector
  • test test
  • snmp.

Here’s another interesting nugget from the report: In February, a well-known initial access broker called “Bassterlord” was observed in XSS forums selling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute forcing, was being sold for US$10,000. When several other forums started leaking information from the guide, Bassterlord also offered to rent access to the guide for as little as US$300 for one month.

Rapid7 obtained a leaked copy of the manual, which includes the claim that the author had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test.

“It’s possible,” the report says, “that given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.”

The post Plug these vulnerabilities in VMware, Cisco products first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, Week in Review for the week ending Friday, Sept. 29, 2023

This episode features discussion on October Security Awareness Month, ransomware, teenage hackers and the start of hearings into proposed Canadian privacy a

Admins urged to quickly patch holes in WS_FTP file transfer server

This is the fourth file transfer application -- and the second from Progress Software -- to recently face critical vulne

Cyber Security Today, Sept. 29, 2023 – Protect your routers from this attacker, new open-source malware packages found, and more

This episode reports on a China-based group that specializes in hacking branch office routers of major

Champagne squeezed to produce proposed amendments on privacy, AI bills

Opposition gives government five business days to produce proposed

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways