Cisco Secure Firewall ASA and FTD Software IKEv2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to trigger a memory leak, causing system instability and disrupting IKEv2 VPN sessions. The issue arises from improper parsing of IKEv2 packets, and exploitation requires sending a continuous stream of crafted IKEv2 packets to the affected device.

Impact

Exploitation of this vulnerability leads to a memory leak that causes system instability, disrupting IKEv2 VPN sessions. Recovery from this condition requires a manual reboot of the device.

Remediation

Cisco has released software updates that address this vulnerability. Customers with service contracts should obtain the updates through their usual channels. For instructions on upgrading Cisco Secure FTD devices, see the appropriate Cisco Secure FMC upgrade guide.