Cisco Secure Firewall ASA and FTD Software IPsec Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This issue arises in the processing of Galois/Counter Mode (GCM)-encrypted Internet Key Exchange version 2 (IKEv2) IPsec traffic. The vulnerability allows an authenticated, remote attacker to cause an unexpected reload of the device, leading to a DoS condition. The issue is caused by the allocation of an insufficiently sized block of memory. To exploit this vulnerability, an attacker must have valid credentials to establish a VPN connection with the affected device.

Impact

Exploitation of this vulnerability causes an unexpected reload of the device, resulting in a denial-of-service condition.

Remediation

Cisco has released software updates to address this vulnerability. For instructions on upgrading Cisco Secure FTD devices, refer to the Cisco Secure FMC upgrade guide. To determine the appropriate software version to upgrade to, use the Cisco Software Checker tool.