Cisco Secure Firewall ASA and FTD Software DHCP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the DHCP client functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, adjacent attacker to exhaust available memory on the affected device. The issue arises from improper validation of incoming DHCP packets. Exploitation involves repeatedly sending crafted DHCPv4 packets to the device, leading to memory exhaustion that disrupts service availability and prevents new processes from starting. As a result, the device experiences a denial-of-service condition that requires a manual reboot. Notably, on Cisco Secure FTD Software, this vulnerability does not impact management interfaces.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing available memory to be exhausted. This memory exhaustion affects service availability and prevents new processes from starting, requiring a manual reboot to restore normal operation.

Remediation

Cisco has released software updates to address this vulnerability. For instructions on upgrading a Cisco Secure FTD device, consult the appropriate Cisco Secure FMC upgrade guide. To determine exposure to vulnerabilities in Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software, use the Cisco Software Checker tool, which identifies relevant security advisories and the earliest fixed releases.