Cisco Secure Firewall ASA and FTD Software Denial-of-Service Vulnerability via IPv6 over IPsec VPN

A denial-of-service vulnerability has been identified in the RADIUS proxy feature of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, specifically for Firepower 2100 Series devices. This vulnerability allows an unauthenticated, remote attacker to cause a DoS condition by sending IPv6 packets over an IPsec VPN connection to the affected device. The issue arises from improper processing of the IPv6 packets, which can trigger a reload of the device, leading to a DoS condition.

Impact

Exploitation of this vulnerability causes the affected device to reload, creating a denial-of-service condition.

Remediation

Cisco has released free software updates to address this vulnerability. Customers with service contracts should obtain these updates through their usual channels. For those without service contracts, contact the Cisco Technical Assistance Center (TAC) for assistance. Instructions for upgrading Cisco Secure FTD devices are available in the Cisco Secure FMC upgrade guide.