Cisco Secure Firewall ASA and FTD Software IKEv2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to trigger a memory leak, leading to system instability. The issue arises from improper parsing of IKEv2 packets, which can be exploited by sending a continuous stream of crafted packets to the affected device. As a result, the device may become unable to establish new IKEv2 VPN sessions, requiring a manual reboot to recover.

Impact

Exploitation of this vulnerability causes a memory leak that disrupts system stability, particularly by interfering with IKEv2 VPN session management. On Cisco Secure Firewall ASA and FTD Software, this leads to a partial exhaustion of system memory, causing instability that prevents the establishment of new IKEv2 VPN sessions. Recovery from this condition requires a manual reboot of the device.

Remediation

Cisco has released software updates that address this vulnerability. Instructions for upgrading Cisco Secure Firewall ASA and FTD Software are available in the respective Cisco Secure Firewall Upgrade Guides. For Cisco Secure Firewall ASA, consult the Cisco Secure Firewall ASA Upgrade Guide. For Cisco Secure FTD Software, see the Cisco Secure FMC Upgrade Guide.