Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access VPN Web Server Denial of Service Vulnerability

🚨 SEVERITY: HIGH — CVSS 7.7 Security Advisory

TL;DR 📌

A denial of service (DoS) vulnerability has been identified in the Remote Access SSL VPN service for Cisco Secure Firewall ASA and FTD Software. This flaw could allow an authenticated attacker to cause the device to reload unexpectedly. Cisco has released updates to address this issue, but no workarounds are available.

What happened 🕵️‍♂️

A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software has been discovered. This vulnerability arises from incomplete error checking when parsing an HTTP header field value. An authenticated attacker could exploit this by sending a crafted HTTP request, leading to an unexpected device reload and resulting in a denial of service (DoS) condition.

Affected products 🖥️

  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
  • Cisco Secure Firewall Threat Defense (FTD) Software

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
7.4 Cisco_FTD_Hotfix_EI-7.4.2.4-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_EI-7.4.2.4-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_EI-7.4.2.4-2.sh.REL.tar Cisco_FTD_SSP_FP3K_Hotfix_EI-7.4.2.4-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_EI-7.4.2.4-2.sh.REL.tar Cisco_Secure_FW_TD_4200_Hotfix_EI-7.4.2.4-2.sh.REL.tar
1.0 Initial public release.

Workarounds 🧯

There are no workarounds available for this vulnerability.

Risk in context 🎯

The vulnerability has a CVSS score of 7.7, categorizing it as High severity. It requires authentication to exploit, but if successfully executed, it could lead to a denial of service, impacting device availability. Organizations should prioritize applying the available fixes to mitigate this risk.

Fast facts ⚡

  • Vulnerability: Remote Access VPN Web Server DoS
  • CVSS Score: 7.7 (High)
  • Impact: Device reload leading to DoS
  • Authentication Required: Yes
  • Workarounds: None available

For leadership 🧭

This vulnerability presents a High risk to our network infrastructure, with a CVSS score of 7.7. It requires authenticated access, meaning only users with VPN credentials can exploit it. If exploited, the vulnerability could lead to significant downtime due to device reloads. Immediate remediation is necessary; we recommend patching affected devices within 7 days. The operational impact is expected to be minimal, involving a brief maintenance window without configuration drift.

Now: Review the advisory and identify affected devices.
Next: Schedule and apply the necessary software updates.
Later: Monitor for any unusual activity related to VPN access.

By acting promptly, we can maintain the integrity and availability of our network services.