Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software DHCP Denial of Service Vulnerability

🚨 SEVERITY: MEDIUM — CVSS 4.3 Security Advisory

TL;DR 📌

A medium-severity vulnerability has been identified in the DHCP client functionality of Cisco Secure Firewall ASA and FTD Software. This flaw could allow an unauthenticated adjacent attacker to exhaust device memory, leading to a Denial of Service (DoS) condition. Cisco has released software updates to mitigate this risk, but no workarounds are available.

What happened 🕵️‍♂️

A vulnerability in the DHCP client functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software has been discovered. This issue arises from improper validation of incoming DHCP packets, allowing an attacker to send crafted DHCPv4 packets to the device. If exploited, the attacker could exhaust the device’s available memory, resulting in service unavailability and requiring a manual reboot to restore functionality.

Affected products 🖥️

The vulnerability affects devices with the DHCP client feature enabled running vulnerable releases of Cisco Secure Firewall ASA Software and Secure FTD Software. Notably, on Cisco Secure FTD Software, only data interfaces are impacted, while management interfaces remain unaffected.

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
1.0 Initial public release.

Workarounds 🧯

There are no workarounds available to mitigate this vulnerability.

Risk in context 🎯

With a CVSS score of 4.3, this vulnerability is classified as medium severity. The risk is primarily driven by the potential for an unauthenticated attacker to exploit the vulnerability from an adjacent network, leading to service disruption. Organizations should prioritize applying the available updates to mitigate the risk of exploitation.

Fast facts ⚡

  • Vulnerability: DHCP Denial of Service
  • CVSS Score: 4.3 (Medium)
  • Impact: Denial of Service (DoS)
  • Exploitation: Requires adjacent network access, no authentication needed.
  • Workarounds: None available.
  • Fixed Software: Updates released, specific versions not listed.

For leadership 🧭

This vulnerability poses a Medium risk to our network security posture, with a CVSS score of 4.3. The exposure is driven by the potential for an unauthenticated attacker to exploit the vulnerability from an adjacent network, which could lead to service disruptions requiring manual intervention to restore functionality.

Remediation ask: Patch affected devices within 7 days to mitigate the risk of exploitation. The operational impact is minimal, requiring a brief maintenance window with no expected configuration drift.

Now / Next / Later:

  • Now: Identify affected devices and schedule patching.
  • Next: Monitor for any unusual DHCP traffic that could indicate attempted exploitation.
  • Later: Review and enhance network segmentation to limit exposure to adjacent network threats.