Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software for Firepower 2100 Series IPv6 over IPsec Denial of Service Vulnerability

🚨 SEVERITY: HIGH — CVSS 8.6 Security Advisory

TL;DR 📌

A denial of service (DoS) vulnerability has been identified in the Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Software for the Firepower 2100 Series. This vulnerability allows unauthenticated remote attackers to cause a device reload by sending specially crafted IPv6 packets over an IPsec VPN connection. Cisco has released software updates to address this issue, but there are no workarounds available.

What happened 🕵️‍♂️

A vulnerability has been discovered in the RADIUS proxy feature of the IPsec VPN functionality within Cisco Secure Firewall ASA and FTD Software. This flaw arises from improper processing of IPv6 packets, enabling an unauthenticated remote attacker to trigger a denial of service condition by sending crafted packets. A successful exploit can lead to the affected device reloading, resulting in service disruption.

Affected products 🖥️

The vulnerability affects Cisco Firepower 2100 Series Firewalls running vulnerable versions of Cisco Secure Firewall ASA Software or Secure FTD Software under the following conditions:

  • IPsec VPN with IKEv1 or IKEv2 is enabled.
  • IPv6 is enabled on the interface receiving RADIUS traffic.
  • An access control list (ACL) is configured to permit IP traffic.

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
1.0 Initial public release.

Workarounds 🧯

There are no workarounds available to mitigate this vulnerability.

Risk in context 🎯

With a CVSS score of 8.6, this vulnerability is rated as High. The risk is significant as it allows unauthenticated remote attackers to exploit the vulnerability without needing any credentials. The potential for service disruption is critical, especially for internet-facing devices. Immediate action is recommended to patch affected systems.

Fast facts ⚡

  • Vulnerability Type: Denial of Service (DoS)
  • CVSS Score: 8.6 (High)
  • Exploitation: Requires IPv6 over IPsec VPN
  • Workarounds: None available
  • Fixed Software: Updates released, specific versions not listed

For leadership 🧭

This vulnerability poses a High risk to your organization due to its potential for denial of service attacks, which could disrupt critical services. The exposure is significant as it affects devices configured for IPsec VPN with IPv6 enabled and does not require authentication for exploitation.

Remediation ask: Patch all affected devices within 7 days to mitigate the risk of exploitation.

Operational impact: Expect a brief maintenance window with no configuration drift anticipated.

Clear Now / Next / Later:

  • Now: Identify affected devices and prepare for patching.
  • Next: Apply the necessary software updates as soon as possible.
  • Later: Review and enhance security policies to prevent similar vulnerabilities in the future.

Immediate attention to this advisory is crucial to maintain the integrity and availability of your network services.