Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software for Firepower 3100 and 4200 Series TLS 1.3 Cipher Denial of Service Vulnerability
TL;DR 📌
A vulnerability in the TLS 1.3 implementation for Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Software on Firepower 3100 and 4200 Series devices could allow an authenticated remote attacker to cause a denial of service (DoS) condition. This affects the device’s ability to accept new SSL/TLS or VPN requests. Cisco has released software updates to address this issue, and there are workarounds available.
What happened 🕵️♂️
A vulnerability has been identified in the TLS 1.3 implementation for a specific cipher (TLS_CHACHA20_POLY1305_SHA256) used in Cisco Secure Firewall ASA and FTD Software. An authenticated remote attacker can exploit this vulnerability by sending numerous TLS 1.3 connections, leading to resource exhaustion and a denial of service (DoS) condition. Once in this state, the device will not accept new encrypted connections until it is rebooted.
Affected products 🖥️
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
- Cisco Firepower 3100 Series devices
- Cisco Firepower 4200 Series devices
Note: This vulnerability affects devices configured to allow the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256, which is not the default configuration.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 1.0 | Initial public release. |
Workarounds 🧯
A workaround to mitigate this vulnerability is available. Administrators can use the command no ssl cipher tlsv1.3 custom <cipher list> to remove the vulnerable cipher from the configuration. It is essential to evaluate the applicability and potential impact of this workaround in your specific environment before implementation.
Risk in context 🎯
With a CVSS score of 7.7, this vulnerability is rated as High. The exposure is primarily driven by the requirement for authentication, but the potential for denial of service could significantly impact availability. Immediate remediation is recommended, as exploitation could lead to service interruptions.
Fast facts ⚡
- Vulnerability: TLS 1.3 Cipher Denial of Service
- CVSS Score: 7.7 (High)
- Affected Devices: Firepower 3100 and 4200 Series with specific TLS configuration
- Impact: Denial of service, requiring device reboot
- Workaround: Remove the vulnerable cipher from configuration
For leadership 🧭
This vulnerability poses a High risk to our network infrastructure, with a CVSS score of 7.7. The primary exposure drivers include the need for authentication and the potential for significant availability impact due to denial of service conditions. Immediate action is required to patch affected devices within 7 days, as Cisco has released software updates to mitigate this issue.
Operationally, the remediation process is expected to involve a brief maintenance window with no anticipated configuration drift.
Now: Review and identify affected devices.
Next: Apply the available software updates or implement the workaround.
Later: Monitor for any unusual activity or indicators of compromise related to this vulnerability.
It’s crucial to act swiftly to protect our network from potential exploitation.