Cisco Secure Firewall Threat Defense Do Not Decrypt Policy Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Cisco Secure Firewall Threat Defense (FTD) Software. This issue arises in the Do Not Decrypt exclusion feature of the SSL decryption capability, affecting devices that are configured to exclude certain traffic from decryption. The vulnerability is linked to improper memory management when inspecting TLS 1.2 encrypted traffic. An unauthenticated, remote attacker could exploit this flaw by sending crafted TLS 1.2 traffic through the affected device, potentially causing the device to reload and disrupt services. Notably, this vulnerability does not impact other versions of TLS.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the affected device to reload and temporarily disrupt services.

Remediation

Cisco has released software updates to address this vulnerability. For instructions on upgrading Cisco Secure FTD devices, refer to the Cisco Secure FMC upgrade guide. To determine the best release to upgrade to, consult the Cisco Secure Firewall Threat Defense Compatibility Guide.