Cisco Adaptive Security Appliance Software Release 9.16.1 and Cisco Firepower Threat Defense Software Release 7.0.0 IPsec Denial of Service Vulnerability

Vulnerability

A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the device, resulting in a denial of service (DoS) condition. The vulnerability is due to a logic error in how the module handles specific types of decryption errors. This affects only Cisco ASA Software Release 9.16.1 and Cisco FTD Software Release 7.0.0 [1].

Exploitation

An attacker can exploit this vulnerability by sending malicious packets over an established IPsec connection. The attacker must be either authenticated and remote, or unauthenticated but able to perform a man-in-the-middle attack on the IPsec session. No user interaction is required beyond the pre-existing IPsec connection [1].

Impact

Successful exploitation causes the device to crash and force a reload, leading to a denial of service (DoS). Importantly, Cisco states that successful exploitation does not compromise any encrypted data; only device availability is affected [1].

Mitigation

Cisco has released free software updates to address this vulnerability. The fixed version details are provided in the Cisco Security Advisory [1]. Customers should upgrade to the appropriate fixed release. No workarounds are mentioned in the available references [1].