Cisco Secure Firewall ASA and FTD Software NAT DNS Inspection Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This issue arises in the Network Address Translation (NAT) DNS inspection function for both IPv4 and IPv6. The vulnerability allows an unauthenticated, remote attacker to cause the device to reload unexpectedly, leading to a DoS condition. The root cause is an infinite loop that occurs when the device processes DNS packets with DNS inspection enabled, while configured for NAT44, NAT64, or NAT46. Exploitation involves sending crafted DNS packets that match a static NAT rule with DNS inspection enabled, creating an infinite loop that causes the device to reload.

Impact

Exploitation of this vulnerability causes the device to enter an infinite loop, leading to an unexpected reload and a denial-of-service condition.

Remediation

Cisco has released free software updates to address this vulnerability. Customers with service contracts should obtain these updates through their usual channels. For those without service contracts, contact the Cisco TAC. Instructions for upgrading Cisco Secure FTD devices are available in the Cisco Secure FMC upgrade guide.